Hi All,
With the best possible intentions, I'll say this.
We were given a solution to an issue, and only now we are looking to
see what the issue was and what its implications are. This is the
problem I tried to avoid in the Ops Meeting by saying that a proposal
should be circulated first, as an RFC. In my view, it's best to
present the issue, then discuss the pros of cons of each solution
(inc. the status quo.) We can then compare all that and collectively
decide what requirement to levy on the sites. This is the normal
practice for changes, i.e. consensus first, then act (don't act then
build consensus.) Anyway, we live and learn. It's too late to do that
now. But the discussion that is happening needs to happen, so I guess
I'm happy enough.
Please let us know when this is a _requirement_ rather than a
discussion, then we can move to roll-out.
Cheers,
Steve
On 08/06/2015 01:38 PM, Simon Fayer wrote:
> Hi Alessandra,
>
> It is trivial to remove the VOMS credentials from a standard proxy and
> resign it with a different VO that the owner is a member of
> (voms-proxy-init -noregen). This is somewhat mitigated on modern CREAM-CEs
> by the use of limited proxies (at least on the nodes I've examined) but
> this may not always be something that can be relied upon.
>
> It may also be possible to use the pilot proxy to pull other jobs from
> DIRAC, which would at the very least give a path for one user to steal
> another user's credentials. Even within a single VO this would clearly be
> unacceptable.
>
> Regards,
> Simon
>
>
> On Thu, Aug 06, 2015 at 12:56:53PM +0100, Alessandra Forti wrote:
>> Hi Daniela,
>>
>> we discussed this yesterday in the security meeting and we don't understand
>> how the proxy can be used to access other VOs data. Each pilot will surely
>> be submitted with different VOMS credentials. You cannot have a proxy with
>> all the VOs credentials in it and a naked proxy is not accepted by any
>> service anymore. Is this a Dirac peculiarity?
>>
>> cheers
>> alessandra
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|