Re: [HTCondor-users] CondorCE: recipe to react(?) on payload audit events

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Hi Jason,

> There's nothing natively-supported that comes to mind. The best idea I 
> can come up with is a custom script that monitors the payload audit log 
> for undesired attributes, though I'm not sure then how you make the 
> connection from the payload event to the pilot that should be removed 
> (but I'm also not familiar with this audit log).

yes, judging from AuditPayloadLog the only available information are 
really just the global pool's job details :-/

Maybe from the payloads name with the slot and execution point clued 
together after cutting the glidein ID - but I have no idea how well that 
would actually work.

> Flipping this around a bit, if you had the ability to modify pilots' job 
> requirements (i.e. start expression) to reject jobs with undesired 
> attributes/values, would that help with what you're trying to do?

I guess so - background for my question was, if a site could also peak 
and influence(??) pilots in case a DN or token subject gets corrupted.

If I as a site admin could instead somewhat control a pilot's start 
expression and inject cases like `x509UserProxyVOName =!= DN/FOO && 
AuthTokenSubject =!= bababa-bababa` to block such payloads, that should 
be equivalent to a a posteriori job removal, I guess.
But how would one modify the pilot's own requirements??

Cheers,
  Thomas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature