Hi Adrian
> ok.. If the feedback from VOs and especially from WLCG VOs was ok i have
> nothing to say on this .. maybe i missed the mails when the VOs
> communicated to their contributors the results of this discussions.
"Grid Policy on the Handling of User-Level Job Accounting Data" hasn't
been changed since its approval in 2009 and it was defined in
collaboration with WLCG: "Imported from JSPG policy document with the
same title. No changes to wording were made. See
https://edms.cern.ch/document/855382 (V1.0, dated 6 Aug 2009) for the
old JSPG document."
(https://documents.egi.eu/document/85)
This policy was defined after consultation with many legal experts.
Because of wrong configurations, many sites were not enforcing the
policy, this explains the ticket received by your site from EGI.
>> The Grid Policy on the Handling of User-Level Job Accounting Data says:
>> <<Each site is responsible for sending its accounting records on a
>> regular basis, e.g. daily, with at least user DNs encrypted in
>> transport, to a central data base defined by the Grid.>> and
>> <<Access to a portal that allows the decoding of the anonymised name
>> into a person’s DN is restricted to individuals in the VO appointed to
>> be VO Resource Managers.>>
>>
>> That means that users are aware of the fact that the accounting data can
> where is this meaning in the paragraph above? Unless is written
> explicitly in their AUP the users dont know.
The user signs a AUP at the time of registering the membership to a VO.
The is the generic VO AUP template :
"Members and Managers of the VO agree to be bound by the Grid Acceptable
Use Policy, the various security policies and other relevant Grid
policies, and to use the Grid only in the furtherance of the stated goal
of the VO.” (from the Virtual Organization Registration Security Policy
https://documents.egi.eu/document/78) .
Among the "Various security policies" we have the VO operation policy (
http://documents.egi.eu/document/77 ) which claims:
"You shall comply with the Grid security policies, the VO AUP and any
archival, accounting and logging requirements. You shall periodically
assess, at least once per year, your compliance with these policies and
inform the Grid Security Officer of any violations encountered in the
assessment, and correct such violations forthwith"
>> VO use the accounting portal to access the data, how are VOs supposed to
>> access accounting data if this information is not provided to the
>> repository?
> hmm, i might hit a technical misunderstanding of mine here:
> doesn't the VO have the only jobs submitter machine (WMS) for the
> respective VO? If so, the WMS can log directly the user DN and the
> associated job information that can lead to more detailed accounting.
Submission through WMS is just one of the possible supported mechanisms
for job submission to CEs. Direct submission is also used by many VOs
including WLCG. As to WMS, a VO can use a pool of WMS servers, so even
if WMS were able to collect accounting data (which is not at the
moment), the VO would still need a DB for aggregation.
> So .. is it possible to send a job to a site with some VO credentials
> directly? well, that mean IMHO that EMI is deeply _broken_ from a
> security point of view!! a site should receive jobs ONLY from an
> authenticated submission server of the VO and no other! (and the UI part
> of job submission should connect only to this central(VO) submission
> mechanism)
Submission through WMS does not make the CE infrastructure more secure.
WMS submits to CEs by means of user-delegated credentials.
> Well, i am still not satisfied with this "centrally" and the submission
> mechanism should be fast repaired. The thing is that we are a small
> institute and we cannot afford any "potential" legal problems.
The user DN information is encrypted when transported to the central
accounting DB. User-level accounting information is only made accessible
to the user, and to the respective VO managers.
User data is treated confidentially by the DB administrators and used
for the sole purpose of the provisioning of grid services (like many
other organizations which handle private information).
Tiziana Ferrari
--
Tiziana Ferrari
EGI.eu Operations
0031 (0)6 3037.2691
|