Hi Simon
Reading this thread late, but Glasgow reconfigured to use pool
accounts for sgm and prd roles last September and we have not had any
problems.
It might not be the preference of VOs but they certainly seem able to
live with it. From a security POV the arguments are compelling.
Cheers
Graeme
On 22 Feb 2008, at 09:52, Simon George wrote:
> Thanks John and Linda for your input. Given the strength of your
> recommendation it's a pity that the VOs' preference is at odds with
> it.
> Is everyone else able to satisfy the auditing requirements or are
> most sites fudging it for an easier life w.r.t. VOs?
>
> Cheers,
> Simon
>
> Cornwall, LA (Linda) wrote:
>> Duncan and others,
>> You should not use static accounts if more than 1 user is to use
>> them.
>> Users can steal each others proxies if more than 1 user uses the same
>> account. As John says, there is also the issue of traceability. The
>> Grid Security Vulnerability Group produced an advisory on this last
>> year.
>> http://www.gridpp.ac.uk/gsvg/advisories/advisory-12161.txt
>> Linda
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>> [log in to unmask]] On Behalf Of Gordon, JC (John)
>>> Sent: 22 February 2008 08:03
>>> To: [log in to unmask]
>>> Subject: Re: sgm/prd pool accounts
>>>
>>> Duncan, are you confident that if multiple people use an sgm account
>> at
>>> your site at the same time that you can satisfy the auditing
>>> requirements to know who did what?
>>>
>>> John
>>>
>>>> -----Original Message-----
>>>> From: Testbed Support for GridPP member institutes
>>>> [mailto:[log in to unmask]] On Behalf Of Duncan Rand
>>>> Sent: 21 February 2008 16:12
>>>> To: [log in to unmask]
>>>> Subject: sgm/prd pool accounts
>>>>
>>>> Hi
>>>>
>>>> At RHUL and QMUL we are installing new clusters and I am
>>>> coming across the thorny issue of sgm and prd pool accounts.
>>>> I see that the yaim instructions now state that "Note: static
>>>> accounts are not recommended".
>>>> When I did a quick poll of VO's they said yes we can deal
>>>> with pool sgm accounts but we prefer static sgm accounts. So
>>>> at RHUL I am planning to use pool prd accounts and static sgm
>>>> accounts. Has anybody got any comments?
>>>>
>>>> many thanks
>>>> Duncan
>>>>
|