Michal, right, everyone who can login as the user who runs the container is able to run the commands specified in the sudoers config. There's no need however for ws-gram users to know the login/password of the user who runs the container. Same like you typically don't want everybody to have root access to a machine.
Martin > Hi, > > thanks for reply. Does this mean, that everybody, who has an account on > a computer(or access to it) with globus, can run commands(defined in the > /etc/sudoers file), using sudo, as globus user? > > Michal >> Hi, >> >> sudo does not need any local credentials. The sudo application itself >> enables running commands as a different users without a password. >> We use it in Gram to submit jobs by the user who runs the container >> on behalf of another local user id that is mapped to the DN of the >> user who submitted the job in the grid-mapfile. >> >> See also >> http://www.globus.org/toolkit/docs/4.0/execution/wsgram/WS_GRAM_Approach.html#id2529940 >> >> Martin >> >> >> >>> Hi all, >>> >>> i'm new into globus toolkit and it's really impressive :) I wish to >>> >> learn more about GRAM security attributes. First, i'm interessed into >> sudo mechanism of local job execution. Where are the local credentials >> for sudo stored? In a certificate? Or are they received with a job? I >> read a lot about GSI and global GT security, but it's hard to find >> details about GRAM security. >> >>> Can anybody answer my dummy questions? :) Or give some usefull links >>> >> about GRAM security. I'm not sure, where to ask, in which mailing list >> should i write, gram or security... >> >>> Thanks a lot >>> >>> >>> >> >> >> >> >> >> > >
