On Fri 07-06-15 09:40, Charles Bacon wrote: > It comes down to trust, right? There are some questions to answer: > > 1) Do you know who bob is? > 2) Do you trust bob? > > And for 2, what exactly do you trust bob to do? If you gave bob > access to the globus user's account, would he do something he > shouldn't do? This gets harder when you also want to add alice. Do > you trust bob and alice to both use the account how they're supposed > to, and not to interfere with each other? > > Many people find the answer to "do I trust bob to use a shared > account" to be no. For this reason, most sites will only map bob's > DN to an account that bob already owns. Other people decide that > it's okay for bob not to have an account of his own, and there are > various technical solutions to the problem. > > One solution to the problem is to create a pool of anonymous > accounts, and map incoming DNs you trust to the random pool. Another > solution might be to start each new job inside a virtual machine > sandbox to isolate it from other users and the real system underneath. > > So the answer is that you can do with the tools whatever makes you > comfortable as a system owner. :-)
And in particular, mapping Bob's DN to the "globus" account is likely to be a very bad idea. Assuming the "globus" account is the one you used to install Globus, that would give Bob (presumably an end user, not an administrator) the ability to alter or remove the Globus installation, and to mess around with Globus processes. Depending on what the "globus" account is trusted to do, it might even give Bob the ability to break into other accounts (if, for example, the grid-mapfile is owned by the "globus" account). You might as well give Bob the root password. Using a shared account is fine if that's consistent with your administrative policy (and you can trust your users not to interfere with each other), but be sure the shared account doesn't have any special privileges beyond what's actually needed. -- Keith Thompson <[EMAIL PROTECTED]> San Diego Supercomputer Center <http://users.sdsc.edu/~kst/> 858-822-0853 "We must do something. This is something. Therefore, we must do this." -- Antony Jay and Jonathan Lynn, "Yes Minister"
