> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Gareth Roy
>
> For a start there is a significant difference between a multiuser pilot
> and a multi-VO pilot. In a multiuser pilot, a privilege escalation due to
> credential theft can only raise the ability of that user within that VO
> (i.e. gaining a production role for instance) while in a multi-VO pilot a
> privilege escalation could give a role (of any type) within a VO that user
> is not part of. Now you might say that’s not a huge difference but I feel
> the second is worse than the first as at least the VO in question has some
> oversight.
>
I think that's something worth thinking about, taking into account that aspect of it along with how hard it would be to have separate pilot DNs per VO, but it doesn't affect the action being asked of sites - a site needs to have a mechanism for isolating user payloads, glExec or otherwise, in either case.
> Once credentials have been shipped by DIRAC to a site it’s
> similar to the issues with DRM, everything that’s needed to run the code
> is in place and the submission system or even the VO doesn’t have control
> anymore.
>
That's true, but I think the DRM comparison is useful - whoever controls the hardware controls the security, that's why it's the site's responsibility to provide this isolation. Site admins and the systems we run are unavoidably trusted in this system[1], we can already steal credentials that wind up on our nodes, and we can misconfigure our nodes in a wide variety of ways. We just have to not. Besides which, glExec is pretty easy to configure - you just YAIM it.
> I know, in general, all these issues are the same as running “big” VO jobs
> but in my limited experience working with the Grid we’ve had little
> problem with large VO’s doing something naughty (due to other constraints
> and security mechanisms) and a lot of problems with small VO users doing
> things they shouldn’t with little oversight by VO managers.
>
I think that's fair, and that's partly why we probably don't want to fudge this and not bother doing it right any more; it is more important to box in the minor VOs than the big ones.
Ewan
[1] This system being one that doesn't do signed code/request bundles.
|