Dates

 

Agenda, Discussion, and Action Items

Agenda & Discussion

Goal(s)

Figure out how to securely manage the content published from our pilot cvmfs.xsede.org server.

Related Information

Background material

Discussion

Pilot Server Setup (Jeff)

  1. Host cvmfs.xsede.org provisioned on Jetstream with local user accounts that match XSEDE usernames
    1. We agreed that XSEDE matching usernames is the best approach
  2. Logins via password or ssh keys
    1. We agreed to configure login MFA right away for the pilot as this is how it would work in production
  3. Basic configuration managed using Ansible, but not checked in to a GitHub/BitBucket repo yet
  4. Worked with OSG to publish under the path 'colorado.xsede.org'
  5. colorado.xsede.org content is updated by the the local 'colorado' account based on configured CVMFS privileges and unix permissions
    1. Might want to rename 'colorado' to "cvmfs_colorado' or something similar to separate it from the XSEDE username space

Since we would likely have multiple use cases and publishers ask OSG:

Use Cases

Managing Content

Steps on cvmfs.xsede.org for the 'colorado' user to publish:

  1. Configure CVMFS with the account that owns and can modify the contents of 'colorado.xsede.org'
  2. The owner start an update transaction with command "cvmfs_server transaction colorado.xsede.org"
    1. This mounts /cvmfs/colorado.xsede.org which the owner has write access to
  3. The owner modifies contents
  4. The owner closes transaction by running "cvmfs_server publish"

Security considerations:

Alternate content management approach:

Production platform

Jim recommended a pilot report to hand over to ACCESS rather than implementing in production before the end of XSEDE.

Action Items

Attendees