In a parallel set of emails on the appropriate CMS hyper news, it
appears that CMS would have real problems using pool accounts for sgm
roles because it uses apt. What do Atlas use that makes them more robust?
All the best,
david
Graeme Stewart wrote:
> Hi Simon
>
> Reading this thread late, but Glasgow reconfigured to use pool accounts
> for sgm and prd roles last September and we have not had any problems.
>
> It might not be the preference of VOs but they certainly seem able to
> live with it. From a security POV the arguments are compelling.
>
> Cheers
>
> Graeme
>
> On 22 Feb 2008, at 09:52, Simon George wrote:
>> Thanks John and Linda for your input. Given the strength of your
>> recommendation it's a pity that the VOs' preference is at odds with it.
>> Is everyone else able to satisfy the auditing requirements or are most
>> sites fudging it for an easier life w.r.t. VOs?
>>
>> Cheers,
>> Simon
>>
>> Cornwall, LA (Linda) wrote:
>>> Duncan and others,
>>> You should not use static accounts if more than 1 user is to use them.
>>> Users can steal each others proxies if more than 1 user uses the same
>>> account. As John says, there is also the issue of traceability. The
>>> Grid Security Vulnerability Group produced an advisory on this last
>>> year.
>>> http://www.gridpp.ac.uk/gsvg/advisories/advisory-12161.txt
>>> Linda
>>>> -----Original Message-----
>>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>>> [log in to unmask]] On Behalf Of Gordon, JC (John)
>>>> Sent: 22 February 2008 08:03
>>>> To: [log in to unmask]
>>>> Subject: Re: sgm/prd pool accounts
>>>>
>>>> Duncan, are you confident that if multiple people use an sgm account
>>> at
>>>> your site at the same time that you can satisfy the auditing
>>>> requirements to know who did what?
>>>>
>>>> John
>>>>
>>>>> -----Original Message-----
>>>>> From: Testbed Support for GridPP member institutes
>>>>> [mailto:[log in to unmask]] On Behalf Of Duncan Rand
>>>>> Sent: 21 February 2008 16:12
>>>>> To: [log in to unmask]
>>>>> Subject: sgm/prd pool accounts
>>>>>
>>>>> Hi
>>>>>
>>>>> At RHUL and QMUL we are installing new clusters and I am
>>>>> coming across the thorny issue of sgm and prd pool accounts.
>>>>> I see that the yaim instructions now state that "Note: static
>>>>> accounts are not recommended".
>>>>> When I did a quick poll of VO's they said yes we can deal
>>>>> with pool sgm accounts but we prefer static sgm accounts. So
>>>>> at RHUL I am planning to use pool prd accounts and static sgm
>>>>> accounts. Has anybody got any comments?
>>>>>
>>>>> many thanks
>>>>> Duncan
>>>>>
|