Package: igtf-policy-classic
Version: 1.73-1
Severity: wishlist
Hi.
Currently the package creates symlinks for all files in /etc/grid-security.
It would be nice if one could:
- disable this completely
- configure the location where they're created
The reasons are:
a) Even in grid environments, /etc/grid-security is no longer necessarily a
fixed location, e.g. dcache allows other locations for CA and voms stuff.
b) The following scenario I use at our Tier-2:
- I basically want to have on location where I canonically set up the trusted
CAs/voms files and where fetch CRL runs.
- all other nodes on the cluster, pull their files from that node, e.g. via
rsync, and deploy it to their respective /etc/grid-security (this is even
done like that by the host, where I keep the canonical repo of the certs.
Why? Well, several reasons:
- one central point where I can remove trusted CAs if I want to
- one central point where fetch-crl runs, which has the minor benefit of
less services running on other nodes, and the major benefit, that it's
guaranteed that all nodes have the same CRLs.
It happens pretty often the the CRL servers fail sometimes and even if
they'd not, I'd want all nodes to have exactly the same CRLs (which is
not fully guaranteed if each of them runs fetch-crl, at possibly different
times).
Accesses shouldn't be allowed on one node, but denied on another because
of different CRLs.
Problems with the current way the package installs symlinks to
/etc/grid-security:
- They're all symlinks... so either I still have to install the package on
each node (which again makes it possible that they're out of sync)
- It doesn't work anymore, that the one node that holds the canonical
location
of my trusted CAs (which needs to be /etc/grid-security right now) pulls
his CAs via the same mechanism as all other nodes.
Cheers,
Chris.
