Brew, CAJ (Chris) wrote:
>
> This came up briefly in the face to face and maybe if we have an agreed
> list we can push we can get something done about them.
>
> To kick things off here's my top three:
>
> 1) Pool Accounts (Passable solution with 5 VOs of 50 users, just
> possible with 20 VOs of 200 Users, it'll be a nightmare with thousands
> of users and groups through VOMS and transient VOs).
My phrasing:
Never store files as owned by pool accounts, or use pool accounts to
control access or give rights. Pool accounts can then be recycled at
end of job and do not need different pools for different VOs.
This requires grid storage which is aware of VOs and their VOMS
subgroups etc, and the pool account groups were meant to be a short
term hack until something like GridSite was deployed everywhere.
Cheers,
Andrew
-------------------------------------------------------------------
Dr Andrew McNab [log in to unmask] +44-(0)161-275-4227
Co-ordinator of Security Middleware Groups, GridPP & Manchester HEP
|