Hi
There was a big discussion about this issue ... it was very hard to
get the VOs to agree. But it would be really nice if someone could
achieve this.
For anyone who is interested, there are some thoughts on this :
- some discussions at the VO box TF meetings
- the AliEn package manager ... we can't just "use it" because it sucks
in half of AliEn, but the design might be interesting
- there is an old GAG document with lots of ideas on how to do this.
One big problem is manpower ... a group who manages to contribute a good
solution to the project would probably be really popular :)
JT
Maarten Litmaath, CERN wrote:
> Hi Kostas,
>
>> On Wed, Jun 20, 2007 at 10:54:21AM +0200, Maarten Litmaath wrote:
>>
>>> The "abuse" is not the point of this matter. It is the audit trail that
>>> gets confused when multiple DNs can be mapped to the same account.
>> I fail to see how pool accounts and having group writable files are
>> helping in the audit trail either, how can you tell who changed a file
>> in the sgm area if everything is supposed to be group writable?
>
> Note that sgm pool accounts leave that aspect unchanged: currently the VO
> software is writable for all DNs mapped to the single sgm account, while
> with sgm pool accounts the software will be writable for all DNs mapped
> to sgm pool accounts. Effectively no change.
>
> Sites may switch on more extensive system accounting (e.g. logging of
> system calls) and then the audit trail may be easier to follow, compared
> to the current situation in which a single sgm account does all updates
> of the software area. Whatever, the sgm pool accounts are not proposed
> to improve the situation in the software area!
>
>>> Of course the pool accounts only help to some extent: a hacked sgm DN
>>> can leave a trojan in the software area affecting the whole VO!
>> Or hack *all* VOs if it is dteamsgm since *all* jobs try to execute a
>> couple of files from the dteam software area.
>
> That is true for jobs submitted through an RB or WMS, but not for jobs
> submitted e.g. directly by Condor-G. The functionality in question will
> be moved to the much more restricted "ops" VO.
>
>>> Still, there are sites insisting that shared accounts shall go away...
>> That would be nice but is there an improvement if all their files are
>> group writable?
>
> See my comment above.
>
>>> Comments? Opinions?
>> Why do we need an sgm account at all? Why don't we just rsync (or an
>> ssl/gsi protected version of rsync) from a VO managed server and drop
>> the sgm accounts all together?
>
> Yes, that seems a good idea! Does anyone see potential problems here?
> Firewall issues?
> Thanks,
> Maarten
|