[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] CondorCE: recipe to react(?) on payload audit events



If I as a site admin could instead somewhat control a pilot's start expression and inject cases like `x509UserProxyVOName =!= DN/FOO && AuthTokenSubject =!= bababa-bababa` to block such payloads, that should be equivalent to a a posteriori job removal, I guess.
But how would one modify the pilot's own requirements??

It seems like it would be easier to modify the pilot to allow modifications. ;) Something like:


START = $(START) && USER_ALLOW_LIST
USER_ALLOW_LIST = userMap( allowedUserProxyVONames,
  TARGET.x509UserProxyVOName, "reject", "reject" ) == "allow"
    ||
  userMap( allowedAuthTokenSubject,
  TARGET.authTokenSubject, "reject", "reject" ) == "allow"

STARTD_CLASSAD_USER_MAP_NAMES = allowedUserProxyVONames, allowedAuthTokenSubject,
CLASSAD_USER_MAPFILE_allowedUserProxyVONames = /etc/pilot/allowedUserProxyVONames
CLASSAD_USER_MAPFILE_allowedAuthTokenSubject = /etc/pilot/allowedAuthTokenSubject


where the CLASSAD_USER_MAPFILE_* entries deliberately point to configuration files on local disk, that is, from the site admin, and not from the pilot.

- ToddM