AAI on Storage Systems

Status quo

  • SE + catalog configurations
    • Protect production data from users
    • Some experiments prevent tape access by users
    • User and group access regulated by experiment frameworks
      • Including quotas
      • SE may be more permissive than desired
        • To be checked and fixed as needed
  • X509 overhead
    • Use bulk methods, sessions, trusted hosts as needed
    • Cheap short-lived tokens may become desirable

Data protection

  • Do different data classes need the same security model?
    • Custodial
    • Cached
    • User
  • Access audit trail important for traceability
    • Security and performance investigations
  • Protection needed against:
    • Information leakage ("Higgs-discovery.root")
    • Accidental commands
    • Malicious outsider, insider

Issues with data ownership

  • Missing concept: data owned by the whole VO or by a service
    • Use robot certificates for that?
  • Mapping person to/from credential
    • Changes have consequences for data ownership
      • Certificate might indicate "formerly known as"?
      • Make use of VOMS nicknames or generic attributes?
    • X509 vs. Kerberos access
  • VO superuser concept desirable?
    • Avoid bothering SE admin for cleanups

More items

  • CASTOR: RFIO/NS backdoors to be closed
  • Not only data, but also SE itself needs protection
    • Against illegal data, DoS
  • Storage quotas
    • On SE: conflict with replicas
    • Better handled by experiment framework
    • Can still be useful to SE admin
    • Low priority, available for some SE types
  • Quotas on other resources e.g. bandwidth?
    • Prevent DoS

Pre-GDB meeting Feb 12, 2013

-- MaartenLitmaath - 29-Feb-2012

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatdocx Storage_Security.docx r4 r3 r2 r1 manage 68.8 K 2012-04-02 - 00:19 MaartenLitmaath summary document v0.4
PDFpdf Storage_Security.pdf r4 r3 r2 r1 manage 217.9 K 2012-04-02 - 00:20 MaartenLitmaath summary document v0.4
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2013-02-14 - MaartenLitmaath
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback