[gin-auth] [gin-ops] Debugging Globus SSL (Was: Re: start Savannah run)
Oscar Koeroo
okoeroo at nikhef.nl
Tue Feb 6 02:22:25 CST 2007
Hi JP,
I would say that creating a bunch of anonymous accounts would be a more
real-world and scalable scenario. We're now a group with a limited
number of people but I think it would be flawed to give everybody a
fixed account.
For instance in the LCG/EGEE production facilities there is one thing
you can be very certain about and that is that your account is an
anonymous poolaccount, it is mapped to your DN (and offered VOMS
attributes). This mapping is sticky but it can be scratched and cleaned
at any given time.
The bottom line is that you shouldn't rely on any consistency regarding
the effective Unix account that you may be using on a cluster.
This is not a matter of security, it is a matter of scale.
Oscar
JP Navarro wrote:
> On Feb 5, 2007, at 5:00 AM, Mike 'Mike' Jones wrote:
>> By the way, mapping all users to one account is a serious security
>> flaw.
>
> Mike,
>
> You are very correct. My understanding is that mapping all GIN users to
> a single account was a temporary approach to get GIN off the ground. It
> certainly wasn't intended to be a long-term solution, or to be used for
> more than proof-of-interoperability demos.
>
> Perhaps it is now time to come up with a more secure long term solution
> for GIN participants. Since there are only a few GIN users today,
> should
> we create individual accounts for all GIN users on all GIN participating
> grids? Or is there a better option that will scale better? Any
> suggestions
> on what that next, more secure, approach should be?
>
> Regards,
>
> JP
> ------------------------------------------------------------------------
> ------
> John-Paul Navarro (630)
> 252-1233
> navarro at mcs.anl.gov http://www.mcs.anl.gov/
> ~navarro
> TeraGrid Software Integration Univ of Chicago/Argonne
> Nat. Lab.
> GPG: 4EA9 C86B C0F0 113D 6306 98B7 3649 D6CB EFA8 4133
>
>
>
>
>
>
>
> --
> gin-ops mailing list
> gin-ops at ogf.org
> http://www.ogf.org/mailman/listinfo/gin-ops
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3540 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/gin-auth/attachments/20070206/0ac9cf3c/attachment.bin
More information about the gin-auth
mailing list