On Thu, Nov 08, 2007 at 10:31:43PM -0000, Kelsey, DP (David) wrote:
> Hi Ewan et al,
>
> You said ...
>
> > What we need is for the PMB to listen to the
> > site admins and feed these facts upwards.
> >
> > Given the near universal and quite vehement condemnation from
> > the site admins and various coordinators I'm rather surprised
> > that that isn't what's happening already.
> >
>
> I can assure you that everyone is fully aware of the UK sys admin views.
> These views are not just being ignored!
>
> As has already been explained (by Jeremy, Stephen, John and others) ...
>
> There are serious concerns about multi-user pilot jobs running without
> the identity switching. All user jobs run under the id of the pilot
> framework itself meaning that every user owns the framework, thereby
> being able to do whatever they want and write whatever they want into
> the logs. This does not meet the requirements for traceability.
....
All I can see are reasons why we need glexec to support pilot jobs. What
I haven't heard so far is **why** we need the pilot jobs in the first
place.
I could spend hours explaining why glexec is a bad idea (and I will),
but before that I would like someone to tell me why we need the
pilot jobs in the first place. So far I've only heard that to run
pilot jobs "securely" we need a suid glexec (which very conveniently
ignores the "small" issue of how you send the proxy to the pilot job
in a secure way). Glexec might be the solution (yeah, right) but if
so, it the solution to the wrong problem.
Unfortunately, I know what the reply will be. Something close to: "our RB
model is badly designed and it doesn't really work so instead of fixing it
we'll hack something else on top of the existing hacks and at the same
time we'll ingore every system administrator that says that this is just
plain stupid because we know best".
Kostas
|