RE: Administrative control of proxy lifetime?
I just made a release on Wednesday and wasn't planning another one any time
soon. Is this a high priority request?
The myproxy-server already enforces a maximum lifetime for retrieved proxy
credentials. The maximum lifetime is 12 hours unless a different maximum
was specified when the credential was stored. If you load credentials with
myproxy-admin-load-credential, you already have administrative control over
this maximum lifetime. If users load their credentials to your
myproxy-server with myproxy-init, they would have to explicitly increase
the maximum to be able to later retrieve a longer-lived credential, i.e.,
they would have to be motivated to get a longer credential. In that case,
those motivated users could just as easily run grid-proxy-init to create a
long-lived proxy, bypassing MyProxy entirely, so I think a server
configured lifetime on all retrieved proxy credentials has limited utility
beyond what is already provided.
I'm happy to accommodate your feature request but before I make it a high
priority I'd like to better understand why you want this feature.
At 11:01 PM 1/29/2004, Steve Chan wrote:
> If you can get a configurable max lifetime in there, that would
>be great. Any idea when the next rev will be out?
>[mailto:email@example.com] On Behalf Of Jim Basney
>Sent: Thursday, January 29, 2004 5:48 PM
>To: Steve Chan
>Subject: Re: Administrative control of proxy lifetime?
>Yes, I can add this feature for the next release. Note that if you're
>using myproxy-admin-adduser or myproxy-admin-load-credential, you can
>the maximum lifetime with the -t option. The maximum lifetime for
>retrieved credentials is 12 hours by default if not overridden by the -t
>option of myproxy-init, myproxy-admin-adduser, or
>At 07:17 PM 1/29/2004, Steve Chan wrote:
> > Are there any plans to put a server config that will put a
> > cap on the maximum lifetime for a proxy credential?
> > Wed like to prevent users from getting what is essentially
> > long lived certificate (say, a proxy cert good for 12 months) and
> > it laying around for convenience.
> > I dont see anything in the configuration docs that address
> > this, and it has come up several times already in discussions about
> > myproxy. If it isnt in the pipeline, can we get it added in there?
> > Thanks,
> > Steve