[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] userprio security

I understand.  You'll need to comment out


and uncomment


and comment


That should remove administrative rights from non-root accounts on these machines. I'm guessing on this because I haven't tested this to see what the actual effects of these changes would do.

- dave

Roman Zubatyuk wrote:

   Thank you for reply. But the my problem is that our pool is
configured so that users can submit jobs only from the $(CONDOR_HOST).
So, all of them have logins on central manager host. It present any
user can change userprio values. Users can not kill job from the other
user, but they can change priority factors. The latter action should
only be allowed for condor administrators. As far as I understand
administration is alowed on per-host basis, not at per-user basis. So,
there is no possibility to devide users at $(CONDOR_HOST) into admins
and restricted users?


On 4/3/06, David A. Kotz <dkotz@xxxxxxxxxxxxx> wrote:
Roman Zubatyuk wrote:
Dear All,

 I am using 6.7.13 I386-LINUX_RH72 codnor. I have ound that any user
of my central manager can change users priority factors. Please, can
you advise me the right configuration entry to disable it.

Thanks in advance,

Condor-users mailing list


This is the section of the condor_config file you should look at and
adjust.  I've left mine as $(CONDOR_HOST), which is the central manager,
because I don't allow users to log on to that machine.

##  Host/IP access levels
##  Please see the administrator's manual for details on these
##  settings, what they're for, and how to use them.

##  What machines have administrative rights for your pool?  This
##  defaults to your central manager.  You should set it to the
##  machine(s) where whoever is the condor administrator(s) works
##  (assuming you trust all the users who log into that/those
##  machine(s), since this is machine-wide access you're granting).

##  If there are no machines that should have administrative access
##  to your pool (for example, there's no machine where only trusted
##  users have accounts), you can uncomment this setting.
##  Unfortunately, this will mean that administering your pool will
##  be more difficult.

##  What machines should have "owner" access to your machines, meaning
##  they can issue commands that a machine owner should be able to
##  issue to their own machine (like condor_vacate).  This defaults to
##  machines with administrator access, and the local machine.  This
##  is probably what you want.