RE: Administrative control of proxy lifetime?

To: "Steve Chan" <sychan@lbl.gov>
Subject: RE: Administrative control of proxy lifetime?
From: Jim Basney <jbasney@ncsa.uiuc.edu>
Date: Fri, 30 Jan 2004 08:41:27 -0600
Cc: <myproxy-users@ncsa.uiuc.edu>
Content-type: text/plain; charset="us-ascii"; format=flowed
In-reply-to: <000901c3e6ee$36e55530$5001a8c0@gridmonkey>
References: <5.2.1.1.2.20040129194136.027f6368@pop.ncsa.uiuc.edu>
Sender: owner-myproxy-users@ncsa.uiuc.edu

Steve,

I just made a release on Wednesday and wasn't planning another one any time 
soon.  Is this a high priority request?

The myproxy-server already enforces a maximum lifetime for retrieved proxy 
credentials.  The maximum lifetime is 12 hours unless a different maximum 
was specified when the credential was stored.  If you load credentials with 
myproxy-admin-load-credential, you already have administrative control over 
this maximum lifetime.  If users load their credentials to your 
myproxy-server with myproxy-init, they would have to explicitly increase 
the maximum to be able to later retrieve a longer-lived credential, i.e., 
they would have to be motivated to get a longer credential.  In that case, 
those motivated users could just as easily run grid-proxy-init to create a 
long-lived proxy, bypassing MyProxy entirely, so I think a server 
configured lifetime on all retrieved proxy credentials has limited utility 
beyond what is already provided.

I'm happy to accommodate your feature request but before I make it a high 
priority I'd like to better understand why you want this feature.

-Jim

At 11:01 PM 1/29/2004, Steve Chan wrote:
>Jim,
>
>         If you can get a configurable max lifetime in there, that would
>be great. Any idea when the next rev will be out?
>
>         Steve
>
>-----Original Message-----
>From: owner-myproxy-users@ncsa.uiuc.edu
>[mailto:owner-myproxy-users@ncsa.uiuc.edu] On Behalf Of Jim Basney
>Sent: Thursday, January 29, 2004 5:48 PM
>To: Steve Chan
>Cc: myproxy-users@ncsa.uiuc.edu
>Subject: Re: Administrative control of proxy lifetime?
>
>Steve,
>
>Yes, I can add this feature for the next release.  Note that if you're
>using myproxy-admin-adduser or myproxy-admin-load-credential, you can
>set
>the maximum lifetime with the -t option.  The maximum lifetime for
>retrieved credentials is 12 hours by default if not overridden by the -t
>
>option of myproxy-init, myproxy-admin-adduser, or
>myproxy-admin-load-credential.
>
>-Jim
>
>At 07:17 PM 1/29/2004, Steve Chan wrote:
> >             Are there any plans to put a server config that will put a
>
> > cap on the maximum lifetime for a proxy credential?
> >
> >
> >
> >             Wed like to prevent users from getting what is essentially
>a
> > long lived certificate (say, a proxy cert good for 12 months) and
>leaving
> > it laying around for convenience.
> >
> >
> >
> >             I dont see anything in the configuration docs that address
>
> > this, and it has come up several times already in discussions about
> > myproxy. If it isnt in the pipeline, can we get it added in there?
> >
> >
> >
> >             Thanks,
> >
> >             Steve

Follow-Ups:
- RE: Administrative control of proxy lifetime?
  - From: "Steve Chan"

References:
- Re: Administrative control of proxy lifetime?
  - From: Jim Basney
- RE: Administrative control of proxy lifetime?
  - From: "Steve Chan"

Prev by Date: RE: Administrative control of proxy lifetime?
Next by Date: RE: Administrative control of proxy lifetime?
Previous by thread: RE: Administrative control of proxy lifetime?
Next by thread: RE: Administrative control of proxy lifetime?

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index