Re: [Condor-users] Win32 Version more questions(Newbie)

[matthew hope <matthew.hope@xxxxxxxxx>]

On Thu, 30 Dec 2004 09:55:24 -0500 (EST), N <nnoydb@xxxxxxxxxx> wrote:
> 
> It is possible to alter the command shell utilized by Condor to execute jobs?
>    I wish to use 4NT instead of CMD since it is considerably more flexible.

you could have a batch script which itself executes 4NT - you would
require some form of guarantee as to 4NT being present and in a well
defined location.

I drop to cygwin from a batch script but ensure the installation of
cygwin is valid.

Obviously this requires the submitting users to do the right thing (or
be forced to do the right thing)

> Is there a facility to execute my own initialization at service start (via VBScript
> or some other script)?

I believe this is an area where the UNIX versions have a feature
windows ports do not. Simply being able to execute per and post batch
scripts of the admins choice would be nice...

>    I wish to setup "mount points" aka "mapped drives" like the users home
>    drive and the common run directories.

net use is you friend - you will again have to force the users to use
scripts of your own choosing again though.
Security access is a further issue (the script or classads would need
embedded passwords or the network shares would be open to all)

> I am still unclear how security is handled in Condor (even after reading the 
> documentation).  I am aware the Condor submit will not queue a job if the
> requesting user does not have execute permission (to the job file/binary).  
> However, since the service runs under a selected user and no "runas" is 
> executed what is to prevent the user from copying, accessing, moving file(s) he 
> or she doesn't have access to but the cluster user does?

The service normally runs as local admin or equivalent but the
processes spawned off for your submitted jobs run as the execute user
defined in the config file

the execute user is entirely controlled by yourself as admin of the
execute nodes.
This user typically has few access privileges except to the execute directory.
In windows you would do well to reconsider whether or not condor is
right for you if you cannot say yes to one of the following:

1) I can handle the limitation of ensuring submitted jobs need no
external access at all.

2) I am happy to expose some internal security issues 

3) All jobs will run as a single domain user with the required access
to everything it needs - I don't mind ensuring the credentials of this
user are maintained on all execute nodes

> I am sorry if these question seem a bit basic but I am still uncertain after readin 
> the documentation.  I hope someone has a simular experience and can educate 
> me or point me in the direction of further documentation.

There are some previous discussions on this list about how to make a
domain user be the execute user....

If you expect to be able to give users a way of running their jobs on
a different machine but with all the access rights / sspi implied
privileges / remote drives you are in for a shock.

Best thing is to get people out of the habit of assuming their jobs
will run as themselves, or indeed in a domain context and provide all
required data as part of the job input (this will have significant
throughput benefits if you are constantly a hitting databases/network
shares).

Matt