The reason for having the central emergency suspension is to stop an incident spreading. E.g. if an incident occurs (especially outside office hours) it is much quicker to stop jobs associated with particular DN(s) from starting by adding the DN(s) to the central emergency suspension list which is automatically downloaded than requesting individual sites to ban a user. I think sites MUST download the central emergency suspension list, they can use Argus or their own implementation.
Also, a user can be removed very quickly from central the emergency suspension list, and have their access re-instated.
See policy document:
https://documents.egi.eu/public/ShowDocument?docid=1475
I would also imagine emergency suspension is quite rare, like a few times a year if an incident occurs associated with a DN.
It has also been noted that emergency suspension does not imply fault on the user's part, e.g. a certificate may have been stolen. It is thought of as 'emergency suspension' of a DN for dealing with an incident, rather than 'banning' a user.
Linda
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Daniela Bauer
> Sent: 17 December 2013 10:43
> To: [log in to unmask]
> Subject: Re: ARGUS/glexec deployment tracking
>
> I have to admit, I don't even understand the policy requirement.
> Surely any site policy would trump any centrally imposed policy to start with ? I
> mean if I have a user who has fallen foul of something, then has had a talking to
> (preferably by me) and really needs to run some jobs why shouldn't I allow
> him/her back on my site as long as I am convinced they've mended their ways ?
> I'm not worried about the technical implementation. I've got Simon and his
> magic python scripts ...
>
> cheers,
> Daniela
>
>
> On 17 December 2013 10:39, Jeremy Coles <[log in to unmask]> wrote:
> > Hi Daniela,
> >
> > True, you do not even need to use ARGUS/glexec so long as you can clearly
> meet the policy requirement. However you do have to be able to implement
> what you pick up and if you have another method then we'll just record N/A
> against your site. Happy to discuss this at today's meeting.
> >
> > Jeremy
> >
> >
> >
> > On 17 Dec 2013, at 10:19, Daniela Bauer wrote:
> >
> >> I don't think having the SE/CEs authenticating Argus is a requirement
> >> - the requirement states that you need to be able to pick up the
> >> central banning somehow and that's it [*]. Can we please not make up
> >> requirements where there aren't any ?
> >>
> >> Daniela "I'm still waiting for the end of the 512 proxy saga"
> >>
> >> [*] http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview
> >>
> >> On 17 December 2013 00:28, Jeremy Coles <[log in to unmask]> wrote:
> >>> Dear Site admins,
> >>>
> >>> At the ops meeting last week we discussed the status of ARGUS and glexec
> across sites (generally both very good following the SL6 move). However having
> ARGUS deployed was only one of the deployment steps. Next we need to
> configure the CEs and SEs to authenticate via ARGUS, and then later also to
> pickup updates from a national ARGUS server. With this in mind I took an action
> to create a tracking table which you will find here:
> https://www.gridpp.ac.uk/wiki/ARGUS_deployment.
> >>>
> >>> Please could you take a look at the page, check/update the first two
> columns for your site and ask any questions you may have at the ops meeting
> later on Tuesday.
> >>>
> >>> Many thanks,
> >>> Jeremy
> >>
> >>
> >>
> >> --
> >> Sent from the pit of despair
> >>
> >> -----------------------------------------------------------
> >> [log in to unmask]
> >> HEP Group/Physics Dep
> >> Imperial College
> >> London, SW7 2BW
> >> Tel: +44-(0)20-75947810
> >> http://www.hep.ph.ic.ac.uk/~dbauer/
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]
> HEP Group/Physics Dep
> Imperial College
> London, SW7 2BW
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
--
Scanned by iCritical.
|