Hit send by mistake......
This is the original plan. The suggestion that we can have pilot and non-pilot sites is a recent uk idea. It still needs checking with the VOs.
John
-----Original Message-----
From: "Ewan MacMahon" <[log in to unmask]>
To: "[log in to unmask]" <[log in to unmask]>
Sent: 10/11/09 10:59
Subject: Re: Next UKI meeting - Thursday 19th November
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
>
> A quote from John will hopefully put this back in context:
>
> "The STRONG advice from the security people was that not changing
> identity put the whole infrastructure at risk, not just that site.
This is very, very wrong and completely at odds with the discussions
that have taken place in past UKI meetings. Up until the last few days
it's always been the plan that in the absence of suid glExec (or the
equivalent) sites would simply not be able to run multiuser pilot jobs.
It now appears that the plan has changed to one in which multi user
pilot systems will be run regardless. Doing this would indeed put the
infrastructure at risk, as well as breaking the existing grid AUPs
and security policies.
The choice here should be "Run glExec or don't get pilots", not "Run
glExec or we'll do something hopelessly insecure on your site and then
blame you for it."
Ewan
--
Scanned by iCritical.
|