Grid Security Vulnerability Group - Advisory

-- Topic:          No Authorization in R-GMA
-- Date:           2008-04-04, updated 2010-03-08
-- ID:	           Grid Vulnerability Savannah bug #10707

-- Background

R-GMA stands for the Relational Grid Monitoring Architecture and
it provides the framework for the the operations of the distributed
monitoring database.

-- Vulnerability Details

There is no Authorization in the versions of R-GMA distributed as part of gLite. 
This means that any authenticated user can view or publish any information they choose.  
This is a matter of missing functionality, which is well known by those installing and 
using R-GMA.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group reminds sites of this, and be aware that a new 
version of R-GMA is available where authorization is included. 


-- Component and Installation information.

A new version of R-GMA is available from

http://hepunx.rl.ac.uk/egee/jra1-uk/r-gma-6.0/installation.html

R-GMA is not currently distributed as part of gLite 3.2, and the earlier version distributed 
with gLite 3.1 is not being upgraded to the latest version supplied by the R-GMA developers



-- Other information

The version of R-GMA which includes Authorization is new, and follows a major re-write.

-- Credit
This issue has been well known for a long time, hence there is no need to credit
anyone with reporting this issue. 


-- Disclosure Timeline
Yyyy-mm-dd

2005-11-24 Issue handled by the Pre EGEE-II process including informing site 
            security contacts
2008-01-14 R-GMA testing version of R-GMA which includes authorization
2010-03-09 Public disclosure as new version of R-GMA is available with this problem fixed

-- References
 If applicable
==========================================================================