That said, Stephen's quite right that the "obvious" way to do it is to
do the usual UNIX-groups permissions system.
(I think a more robust system would probably be to use cgroups to
create different mount namespaces for different VOMS roles, but we
definitely can't do that generically with grid middleware as it
stands.)
Given that CVMFS is world readable... would encrypted binaries work?
(I guess it depends on what subset of the 15G of software needs to be
restricted...)
Sam
On 17 July 2014 11:46, Catalin Condurache <[log in to unmask]> wrote:
> With a CVMFS approach (which I'd also encourage to look into for your first
> request) it is not possible to restrict access (your second request) for
> anyone. CVMFS filespace is publicly readable.
>
>
>
> Catalin
>
>
>
>
>
>
>
> From: Michel Jouvin [mailto:[log in to unmask]]
> Sent: 17 July 2014 11:17
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Grid software management and protected software
>
>
>
> This seems an appropriate use case for CVMFS... This should help with the SW
> distribution. This will not help with restricting access to the SW but I
> think that this is something that must be handled by the SW itself (have a
> list of legitimate users and refuse to start with a user outside this list).
>
> Cheers,
>
> Michel
>
> Le 17/07/2014 11:45, Daniela Bauer a écrit :
>
> Hi,
>
> Can you not just put the software in the software area for your VO ? I can't
> imagine 15 GB (or even 100 or so) being an issue anywhere.
>
> I don't think there's a mechanism to restrict software to a specific subset
> of users, I guess you could add something to your software that checks for a
> certain role in the proxy and only runs if the user's proxy has that role,
> but otherwise you are probably out of luck.
>
> Cheers,
>
> Daniela
>
>
>
> On 17 July 2014 08:29, Jérôme Revillard <[log in to unmask]> wrote:
>
> Dear all,
>
> In the vo.neugrid.eu VO, we install a couple of huge software into the
> sites. Some (most) of these software are bigger than 15Gb so you can easely
> imagine that every user cannot download it for every single job that he want
> to run.
>
> A new constraint comes into the picture a couple of weeks ago. Indeed, some
> of the softwares that we have to install must be restricted to a sub-part of
> the VO users but we don't know actually how to achieve it using the Grid
> software management framework....
>
> Is there a way to do that still without having to download the soft for
> every job (even from the local SE)?
>
> Best,
> Jerome
>
> --
> =====================================================
> Dr Jérôme Revillard
> CTO MAAT/GNUBILA France
> www.gnubila.fr
>
> 174 Impasse des Prés d'en Bas
> 74370 Argonay (France)
>
> Mob. 0033 676 108 185
> Tel. 0033 450 685 601
> =====================================================
>
>
>
>
> --
>
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]
> HEP Group/Physics Dep
> Imperial College
> London, SW7 2BW
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
>
>
|