[jsdl-wg] my view on execution user and group
Yuri Demchenko
demch at science.uva.nl
Thu Apr 7 11:35:28 CDT 2005
Michel Drescher wrote:
>
>> On Apr 07, Yuri Demchenko loaded a tape reading:
>>
>>> In some respect the CNL process flow requires that the JobDescription
>>> carries some kind of delegation from the user, e.g. User want that
>>> Grid processing environment maintains the trust/delegation path.
>
> Any information that directly relates to authentication or authorisation
> of the information stored in a JSDL instance document (yes, I promised
> to be clearer in my language...) should be handled in the embracing
> instance document (or by other means).
>
I persistently want to draw your attention to the specific use case when
users/customers require that all jobs submitted on behalf of them
carry unbroken path of credentials/trust.
This is a requirement to the Resource's processing environment to have
this functionality and this can be achieved by including SubjectID and
SubjConfData/Creds information.
You may decide not to include this elements but then you probably need
to explain this in the Security considerations section.
If you move your JSDL doc from one su-exec/admin domain/host to
another, you definitely need to worry about this kind of potential
vulnerability.
This is also outcome from ongoing EGEE operational security model
development.
Regards,
Yuri
More information about the jsdl-wg
mailing list