LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Jan Just Keijser said:
> the robot token is located in a protected server room on an isolated
> well-controlled machine. A proxy is generated every 24 hours and
> uploaded using a well known password (and using "-d" ) to the MyProxy
> server.
I don't understand what you mean by "well-known" - a) if it's well-known how does it add any security, and b) how you you expect the WMSes to know it? I also don't understand why you would do it every 24 hours - the whole point of myproxy is that it can hold long-lived proxies.
> This has been working for nearly 4 years - could be we just got lucky
> during those 4 years, but where was it specified that you cannot do this?
It has always been specified in the WMS documentation, e.g. the glite user guide (page 41). If it seemed to work, the possibilities are that most jobs didn't need renewal, or perhaps that older versions of myproxy didn't check the password in renewal mode.
Stephen
--
Scanned by iCritical.
|