[Condor-users] using kerberos principal instances in authorization levels

["Rob de Graaf" <rob@xxxxxxxxxxxxxxxxxx>]

Hello,

Is it possible to use kerberos principal instances in condor's
authorization levels?

I've created principals with instances but when I send commands condor
only parses up to / to determine a user, thus ignoring whichever instance
I had:

KERBEROS: krb5_unparse_name: rob/cadmin@xxxxxxxxxx
KERBEROS: no user yet determined, will grab up to slash
KERBEROS: picked user: rob
Client is rob@xxxxxxxxxx
User rob is now authenticated!

I'd like, for example, to be able to create principals with a cadmin
instance to denote condor pool administrators, and give administrative
access based on their instance rather than their principal, ie.

ALLOW_ADMINISTRATOR = */cadmin@$(UID_DOMAIN)/$(CONDOR_HOST)

rather than have to set it up per user, ie.

ALLOW_ADMINISTRATOR =
admin1@$(UID_DOMAIN)/$(CONDOR_HOST),admin2@$(UID_DOMAIN)/$(CONDOR_HOST)

The same could be used in a submitter's ALLOW_WRITE level, ie.

ALLOW_WRITE = */csubmit@$(UID_DOMAIN)/*.DOMAIN.TLD

I know I could simply create a cadmin principal without any instance, for
administrators to share, but I'd prefer not to. So basically what I'm
looking for is group based authorization.. if possible through kerberos,
but if any other approach exists I'd love to hear about it. How do other
sites solve this?

Thanks,

Rob de Graaf