Hi Simon,
is there a reason why you are not using different DNs in the first place?
Surely Dirac is capable of handling them.
cheers
alessandra
On 06/08/2015 13:38, Simon Fayer wrote:
> Hi Alessandra,
>
> It is trivial to remove the VOMS credentials from a standard proxy and
> resign it with a different VO that the owner is a member of
> (voms-proxy-init -noregen). This is somewhat mitigated on modern CREAM-CEs
> by the use of limited proxies (at least on the nodes I've examined) but
> this may not always be something that can be relied upon.
>
> It may also be possible to use the pilot proxy to pull other jobs from
> DIRAC, which would at the very least give a path for one user to steal
> another user's credentials. Even within a single VO this would clearly be
> unacceptable.
>
> Regards,
> Simon
>
>
> On Thu, Aug 06, 2015 at 12:56:53PM +0100, Alessandra Forti wrote:
>> Hi Daniela,
>>
>> we discussed this yesterday in the security meeting and we don't understand
>> how the proxy can be used to access other VOs data. Each pilot will surely
>> be submitted with different VOMS credentials. You cannot have a proxy with
>> all the VOs credentials in it and a naked proxy is not accepted by any
>> service anymore. Is this a Dirac peculiarity?
>>
>> cheers
>> alessandra
--
Respect is a rational process. \\//
|