TWiki>
LCG Web>LCGGridDeployment>WLCGSecurityTEG>AAIOnStorageSystems (2013-02-14, MaartenLitmaath)
EditAttachPDF
LCG Web>LCGGridDeployment>WLCGSecurityTEG>AAIOnStorageSystems (2013-02-14, MaartenLitmaath) EditAttachPDFAAI on Storage Systems
Status quo
- SE + catalog configurations
- Protect production data from users
- Some experiments prevent tape access by users
- User and group access regulated by experiment frameworks
- Including quotas
- SE may be more permissive than desired
- To be checked and fixed as needed
- X509 overhead
- Use bulk methods, sessions, trusted hosts as needed
- Cheap short-lived tokens may become desirable
Data protection
- Do different data classes need the same security model?
- Custodial
- Cached
- User
- Access audit trail important for traceability
- Security and performance investigations
- Protection needed against:
- Information leakage ("Higgs-discovery.root")
- Accidental commands
- Malicious outsider, insider
Issues with data ownership
- Missing concept: data owned by the whole VO or by a service
- Use robot certificates for that?
- Mapping person to/from credential
- Changes have consequences for data ownership
- Certificate might indicate "formerly known as"?
- Make use of VOMS nicknames or generic attributes?
- X509 vs. Kerberos access
- Changes have consequences for data ownership
- VO superuser concept desirable?
- Avoid bothering SE admin for cleanups
More items
- CASTOR: RFIO/NS backdoors to be closed
- Not only data, but also SE itself needs protection
- Against illegal data, DoS
- Storage quotas
- On SE: conflict with replicas
- Better handled by experiment framework
- Can still be useful to SE admin
- Low priority, available for some SE types
- Quotas on other resources e.g. bandwidth?
- Prevent DoS
Pre-GDB meeting Feb 12, 2013
- Pre-GDB agenda
- Introduction of the status quo and unresolved issues
- Summary presented in the GDB meeting the next day
- Introduction
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 docx |
Storage_Security.docx | r4 r3 r2 r1 | manage | 68.8 K | 2012-04-02 - 00:19 | MaartenLitmaath | summary document v0.4 |
 pdf |
Storage_Security.pdf | r4 r3 r2 r1 | manage | 217.9 K | 2012-04-02 - 00:20 | MaartenLitmaath | summary document v0.4 |
Topic revision: r6 - 2013-02-14 - MaartenLitmaath
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback