Still planning to migrate the cluster hardware into the new configuration on Tuesday , but without the restrictive security policies, and without native GPFS mounts.
Extended discussion of what the security situation is regarding services that need elevated privileges, particularly w.r.t. the critical need for impersonation in the LSP services (at least Nublado and WebDAV).
We need to enumerate exactly what capabilities are required by the LSP components.
We need to define what is "trusted" vs. untrusted code. How would we review it? Would we need to sign it and have a chain of trust that runs through a secure container image registry?
Unknown User (awithers)'s responsibilities cover security policies for LSST as a whole, not just for the deployment of LSST code on NCSA systems. We need to define more specific classification and review policies so that we don't have to have blunt blanket policies.