On Wed, 2005-10-19 at 07:42 +0200, Åke Sandgren wrote:
> On Tue, 2005-10-18 at 14:23 +0200, Oscar Koeroo wrote:
> > Hi Maarten:
> > From a security point of view I can understand this very strict use of
> > giving each job its own poolaccount.
>
> I for one can't think a anything at all that would increase security by
> having one account / job. Examples please?
What would be your alternative, a group account for each VO? For
security purposes, you want to be able to audit the users actions on
your site and for this to be possible you have to give each user their
own local account. In fact, recycling pool accounts makes this a little
harder since you now have to keep a complete history of when each user
was mapped to each pool account.
> On the contrary having one account / job increases complexity and hence
> increases the risk for security problems.
I don't see how a pool of accounts causes a major increase in complexity
if a facility goes from say hundreds of local user accounts to 10s of
thousands of grid pool accounts. Each unused pool account only takes up
negligible space in your passwd/nis/ldap (or whatever account system
your facility uses) area and negligible space for an empty directory on
your /home disk.
The most secure way, which gives the facility the ability to do user
auditing, is with a pool of accounts that gives each grid user their own
local account. Then the local facility can decide for themselves when
it is appropriate to start recycling unused pool accounts, which leads
to your point below...
> And (as we all know already) recycling accounts must not be done without
> having verified VERY STRICTLY that ALL files and traces of the previous
> use of the account have been eliminated and in my opinion shouldn't be
> done with less then at least a few days turnaround time to ease "after
> the fact" traceability. Then start adding up all the jobs that pass
> through a large site on lets say 3-4 days...
>
--
/------------------------------------------------------------------\
| Jason A. Smith Email: [log in to unmask] |
| Atlas Computing Facility, Bldg. 510M Phone: (631)344-4226 |
| Brookhaven National Lab, P.O. Box 5000 Fax: (631)344-7616 |
| Upton, NY 11973-5000 |
\------------------------------------------------------------------/
|