Stephen's summary is fine. The text Ewan quotes from the minutes was the
Deployment Board's input. Since then glexec has been subject to deeper
security reviews and the security consensus seems to be:-
a) running multi-user pilot jobs with glexec in null mode breaks all
policies and good practice for identifing who is responsible for work on
your site. Who would you all have been whinging about if you couldn't
anthropomorphise the RSA jobs.
b) glexec in logging mode leaves user jobs running with the identity of
the pilot job framework. ie the ability to run glexec and access to the
proxies, work and data of all the other users running under the
framework on the same WN.
That leaves glexec in setuid mode or not running multi-user pilot jobs.
If no sites agree to this the experiments will have to find other ways
to do their computing.
The WLCG Management Board endorsed the policy with a few small changes.
There are a number of prerequisites like security reviews of glexec and
the experiment pilot job frameworks and it will not take effect until
the MB is happy with the outcome of them all.
Not having root access to WNs is not really an argument. No-one expects
such frameworks to run on a cluster without the knowledge of the cluster
owners. The idea is that someone (The experiments, WLCG, GRIDPP?) should
negotiate with sites to get the pilot job frameworks (not just glexec)
running as part of the installed software on a cluster. Reviews of the
framework and software are all supporting evidence for those
negotiations.
I'll finish now and read the umpteen mails on this thread that will
doubtless have circulated while I was writing,
John
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Burke, S (Stephen)
> Sent: 08 November 2007 13:41
> To: [log in to unmask]
> Subject: Re: PMB minutes and glexec
>
> Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Ewan MacMahon said:
> > It sounds rather as though the idea of requiring sites to install
> > glexec SUID is being resurrected,
>
> Yes, it is (well, it never really went away).
>
> > Can someone please clarify whether we're being asked to do the
> > impossible in installing glexec SUID, or whether the agreed
> compromise
> > still holds?
>
> You will probably get a more official response from John
> Gordon, but the situation seems to be that LCG are proposing
> to make it mandatory for all LCG sites to install glexec
> SUID, and will then see how many sites refuse to do it as a
> matter of principle.
>
> Stephen
>
|