As far as I have understood all the options have risk. Isn't the
credential delegation per-service or (if finer control and more security
is needed) per-method is 'the' safest option.
Keith Thompson wrote:
On Fri 07-06-15 09:40, Charles Bacon wrote:
It comes down to trust, right? There are some questions to answer:
1) Do you know who bob is?
2) Do you trust bob?
And for 2, what exactly do you trust bob to do? If you gave bob
access to the globus user's account, would he do something he
shouldn't do? This gets harder when you also want to add alice. Do
you trust bob and alice to both use the account how they're supposed
to, and not to interfere with each other?
Many people find the answer to "do I trust bob to use a shared
account" to be no. For this reason, most sites will only map bob's
DN to an account that bob already owns. Other people decide that
it's okay for bob not to have an account of his own, and there are
various technical solutions to the problem.
One solution to the problem is to create a pool of anonymous
accounts, and map incoming DNs you trust to the random pool. Another
solution might be to start each new job inside a virtual machine
sandbox to isolate it from other users and the real system underneath.
So the answer is that you can do with the tools whatever makes you
comfortable as a system owner. :-)
And in particular, mapping Bob's DN to the "globus" account is
likely to be a very bad idea. Assuming the "globus" account is
the one you used to install Globus, that would give Bob (presumably
an end user, not an administrator) the ability to alter or remove
the Globus installation, and to mess around with Globus processes.
Depending on what the "globus" account is trusted to do, it might even
give Bob the ability to break into other accounts (if, for example,
the grid-mapfile is owned by the "globus" account). You might as
well give Bob the root password.
Using a shared account is fine if that's consistent with your
administrative policy (and you can trust your users not to interfere
with each other), but be sure the shared account doesn't have any
special privileges beyond what's actually needed.
