Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
Zachary Miller wrote:
I'd like to allow jobs to be submitted by anyone on machine X, but I would like to limit inserting machine ClassAds with condor_advertise to the root user on the same machine. Is there a way to enforce this sort of authorization (HOSTALLOW_WRITE is obviously too liberal)?actually, there is now. the below features will work in 6.9.5, released just this week. you will want to set something similar to the below in your condor_config. this instructs the collector to have different allow lists for schedd and startd advertisements: ALLOW_ADVERTISE_SCHEDD = submithost.foo.com ALLOW_ADVERTISE_STARTD = *.executehosts.foo.com
To restrict people from using condor_advertise to advertise machine ClassAds, you would need to go a little further. For example, in the above example, a user can still submit a job that runs on one of the execute hosts and calls condor_advertise to send a startd ClassAd to the collector. To prevent that, you would want to require authentication of the startd advertisement (and possibly the schedd as well, for that matter). Example:
SEC_ADVERTISE_STARTD_AUTHENTICATION = REQUIREDAnd then you would need to get one of the available authentication methods working for your Condor daemons.
--Dan