Hi
The move to pool accounts for the SGM and prod roles has been
requested directly via the various security groups, who were acting on
the sites' behalf. Typically the larger the site, the more they worried
about this kind of stuff; it boils down to a traceability issue in case
of a security incident.
The move from "single accounts" to pool groups for these roles did
not go smoothly, I agree.
The SE is a completely different story. On most SEs, pool accounts
are not used like this. For example DPM has its own internal mapping
tables. There are a number of unresolved issues with SE access (NIKHEF
just submitted a new one yesterday to GGUS!), the GSSD group (contact
Flavia or Maarten) or the TCG (you have a representative) are following
the SE access issues.
JT
Joel Closier wrote:
> Hello,
>
> Is it possible to know who request this ? and what is the motivation to
> move into this direction.
>
> I spend one month to figth with sites when the SGM account for LHCb
> became a pool account (problem of permissions, essentially) because site
> forget to consider that the permission for writing should be different
> and more open when you have a pool account than when you have a single
> account. So if it is really the direction that you want to follow, what
> are the plan for the Storage Element ??? Because if we move to pool
> account, it means hat you need to have at least WRITE permission to the
> group of pool account on each SE ... and it should be done by all the
> sites and not that the users has to discover that the permission are not
> anymore correct and complain through GGUS.
>
>
> Regards.
>
> Joel.
>
> ----------------------------------------------------------------
> CLOSIER Joel \|/
> (o o)
> -------------------oOO**(_)**OOo--------------------------------
> Phone : (+41 22 767) 71 72 Fax : +41 22 766 99 78
> GSM : (+41 76 487) 03 81 E-mail : [log in to unmask]
> <mailto:[log in to unmask]>
> ----------------------------------------------------------------
> CERN | ("`-''-/").___..--''"`-._
> Bg 2-R-001 | `6_ 6 ) `-. ( ).`-.__.`)
> ch 1211 | (_Y_.)' ._ ) `._ `. ``-..-'
> Geneva 23 | _..`--'_..-_/ /--'_.' ,'
> Switzerland /|\ (il),-'' (li),' ((!.-'
> ----------------=====oooooooooo=====----------------------------
>
>
>
>
>
> Le 9 août 07 à 09:41, Jeff Templon a écrit :
>
>> Hi *,
>>
>> I saw this message about a decision taken in the ops meeting:
>>
>> At the Grid Operations meeting of Monday 6th August (agenda:
>> http://indico.cern.ch/conferenceDisplay.py?confId=19740), a decision
>> was reached by the attending ROCs, sites and VOs which will
>> potentially effect all VOs.
>> The decision was that by default all sites will configure themselves
>> such that all VOs will be provided with pool accounts for the PRD and
>> SGM roles.
>>
>> I was not at that meeting (still on vacation) but I hope this is what
>> was meant:
>>
>> "by default, all sites will configure themselves such that all VOs
>> *requesting SGM and PRD functionality* will get pools of accounts for
>> these roles. "
>>
>> Not all VOs want or need SGM/PRD functionality and if they do not need
>> it, we prefer not to create and configure the accounts.
>>
>> The message went further to state that if a VO wished to have a
>> *single* account for PRD or SGM instead of pools, they should specify
>> this. Note that there is no guarantee that this request will be
>> respected by all sites.
>>
>> JT
>
|