Re: [HTCondor-users] CondorCE: recipe to react(?) on payload audit events

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

ah, that looks really nice! :)

I had not realized, that a pilot could in principle be modified "on the 
fly" aka CE - have to ping the VO in question about that ;)

Cheers and thanks,
  Thomas

On 03/04/2023 20.33, Todd L Miller via HTCondor-users wrote:
> > If I as a site admin could instead somewhat control a pilot's start 
> > expression and inject cases like `x509UserProxyVOName =!= DN/FOO && 
> > AuthTokenSubject =!= bababa-bababa` to block such payloads, that 
> > should be equivalent to a a posteriori job removal, I guess.
> > But how would one modify the pilot's own requirements??
>
>  ÂÂÂÂIt seems like it would be easier to modify the pilot to allow 
> modifications. ;)Â Something like:
>
>
> START = $(START) && USER_ALLOW_LIST
> USER_ALLOW_LIST = userMap( allowedUserProxyVONames,
>  Â TARGET.x509UserProxyVOName, "reject", "reject" ) == "allow"
>  ÂÂÂ ||
>  Â userMap( allowedAuthTokenSubject,
>  Â TARGET.authTokenSubject, "reject", "reject" ) == "allow"
>
> STARTD_CLASSAD_USER_MAP_NAMES = allowedUserProxyVONames, 
> allowedAuthTokenSubject,
> CLASSAD_USER_MAPFILE_allowedUserProxyVONames = 
> /etc/pilot/allowedUserProxyVONames
> CLASSAD_USER_MAPFILE_allowedAuthTokenSubject = 
> /etc/pilot/allowedAuthTokenSubject
>
>
> where the CLASSAD_USER_MAPFILE_* entries deliberately point to 
> configuration files on local disk, that is, from the site admin, and not 
> from the pilot.
>
> - ToddM
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature