On 16/06/11 11:41, Mingchao Ma wrote:
> Hi Elena,
>
>> there is still a question from Matt who is not on tb-support list:
>>
>> ....
>> Specifically we wanted to find out if either or both of these 2 ports: PAP
>> and PEP; should be open to connections from off-site.
>> It is unclear to us from the documentation whether the server will be
>> contacted on these ports just from local worker nodes and/or ce's or also
>> from elsewhere on the grid.
>> ....
>
> Argus supposes to be your site central authorization service (eventually),
> there should be no reason why you expose it to off-site network at all.
I thought one of the points of ARGUS was that it had the ability for the
VO or security team who are offsite) to ban users without waiting for
the site admin to react. Clearly this would need access from offsite.
Perhaps I'm wrong and it's a way of an admin banning a user across all
resources at a site (once the CE and SE start to use it).
> It
> should be carefully firewalled just make sure that your PEP client can talk
> to it (such as your CE, glexec etc.), for management/admin reason you might
> need to connect it from off-site (e.g. remotely manage policies), in this
> case, please use VPN or SSH tunnel.
>
Chris
It Sounds
|