Administrative environment

There should be two accounts:

gridadm

A Globus/Grid administation account. This pseudo-user owns the files related to the globus install and deployment. It is preferably part of the ices group, so it can use the installed base at /global/ices. It should not run any globus services.

griduser

A (temporary) account for testing grid services. It should preferably be in its own group, not be able to write anywhere accept for its home directory (and /tmp), akin to user `nobody'.

The gatekeeper should run as root, either from inetd or as a stand-alone daemon. On selected hosts, Globus should be started by default from the system startup scripts. The `services' may include reference to the globus gatekeeper on port 2119. These actions require a certain amount of trust regarding the Globus admin person.

A number of rulesets should preperably be added to the hef-router configuration to secure the Globus deployment:

• deny access to tcp/2119 on trusted networks from anywhere outside trusted networks.

• deny access to tcp/2135 on trusted networks anywhere outside trusted networks.

• deny access to tcp/30001 on $\langle$GIIS host$\rangle$ (currently bilbo) from anywhere outside WCW. The GIIS is, at this time, extremely cpu-intensive and makes the host liable to denial-of-service attacs from outside. It can in principle halt the machine. On the other hand, the networks on the WCW are relatively well supervised and it is therefore not strictly necessary to block these as well. Keeping them open allows a better exchange of information among the participating VLab institutes.

These rules might later be relaxed slightly to allow access from selected WCW sites participating in the Virtual Lab or from participating DutchGrid institutes like KNMI/SARA. Persons submitting jobs to the Grid via Globus should have a local account.