> -----Original Message-----
> From: GRIDPP2: Deployment and support of SRM and local storage management
> [mailto:[log in to unmask]] On Behalf Of Jensen, Jens
>
> I did get a mail from Jeremy Y this morning to which I am yet to respond,
> but it is basically asking for input regarding raising the need for
> authorisation in infrastructures (which he and I have discussed
> previously.) This is where our stuff is good - as in it is not perfect but
> it works, for some suitable definition of "works".
>
To expand a bit on what I was wittering at Sam about in the meeting, I
think our X509 certs/proxys/VOMS infrastructure is the highest priority
thing we need to encourage people like dirac to get involved with. It
does have some rough edges, but it enables a huge amount of good stuff
that just can't be sanely done with 'simpler' solutions like username
and passwords.
While someone's use-case remains 'SSHing to a machine', it's certainly
overkill, but it starts being useful as soon as you're SSHing to
several machines, because then you need something to manage your user
database, and VOMS is actually pretty good at that.
The critical thing though is delegatable credentials. If you've got
sites X and Y and they let you SSH in with a username and password to
run jobs and access storage, you might think you've got it pretty good.
Until you want to run a job at site X that accesses something on site
Y's storage, at which point you're totally stuffed. With our setup,
the job proxy is so transparently part of the system that people don't
even need to think about it - their jobs can access their storage,
wherever either of them is. That's really, really, good. And unusual.
People seem not to like X509 because it looks complicated while they're
doing simple things. They don't then get the opportunity to see how simple
it makes when you're doing complicated things. We should try to get dirac
to start rolling out some e-Science Certificate[1] authenticated services
(like gsi-ssh access to login nodes and gridftp access to storage) in
parallel with they're existing stuff as a pilot, then we can start
demonstrating the benefits in practice.
It's the single biggest thing we could do to help.
Ewan
[1] Or maybe 'Cloud Certificates' :-) Anything but 'grid'. How about
'Cloud Passports'? That seems suitably buzzword compliant.
|