[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IDDBrasil #FOI-513125]: Fwd: INPE access authorization



Hi Waldenio,

re: making a ldmd.conf change on idd.unidata.ucar.edu to limit the
set of CPTEC machines that can REQUEST data

> Thanks. I will keep an eye open to see when the modifications will take
> effect.

I made the modifications to the ldmd.conf files this morning.  Steve
will be restarting the LDM on one of the nodes to switch it to use
of a new version of the LDM sometime this morning (when there is a
CONDUIT lull).  We will restart the LDMs on the other idd.unidata.ucar.edu
nodes after assessing if we should upgrade them to the newest version
of the LDM.  This assessment may take several days.

re:
> We do have a policy for internal users to request data only from our
> internal server, and we advise the external users to request data from our
> external servers.

Very good.

re:
> The difficult is to identify where are the random ldm instalations and who
> is managing them.

Are these random LDM installations all in the same campus (i.e., all in
the Cachoeira Paulista location)?  If yes, it wouldn't seem that hard
to figure out which machine(s) were running the LDM producing the problem
(run 'netstat -a' on all machines and look for LDM connections).

re:
> For example, we dont know who/where is the server" moingobe.cptec.inpe.be"...

Isn't that one of the machines that you used to maintain?

re:
> we also are getting issues with ldm machines reporting statistics as other
> machines, creating overlappings statistics from different machines...

This suggests that the person setting up a new LDM is simply copying the
configuration from an existing installation.

re:
> To have a better control we are replacing the "general authorizations" by
> specific ones.

OK.

re:
> Of course that our people needs more training.

Yes, this definitely sounds like a training/information issue.

By the way, the way that I implemented the ALLOW limit for
machines in the cptec.inpe.br domain is:

- specific ALLOW for the machines you requested

  I followed this by:

- blanket ALLOW for the SPARE feed for all machines in the
  cptec.inpe.br domain

The result of this should be that the non-primary machines
REQUEST(s) will get rejected unless they REQUEST the SPARE
feed (either through a specific REQUEST for spare or a REQUEST
for everything).  The REQUEST(s) for the SPARE feed will not
use any bandwidth since there should be no traffic in that
feed.  I had to make the change in this way because of other
ALLOWs that we want to continue to work.

Cheers,

Tom
--
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: FOI-513125
Department: Support IDD Brasil
Priority: Normal
Status: Closed