[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Security: allow condor_submit, deny condor_advertise



> I'd like to allow jobs to be submitted by anyone on machine X, but I would 
> like to limit inserting machine ClassAds with condor_advertise to the root 
> user on the same machine. Is there a way to enforce this sort of 
> authorization (HOSTALLOW_WRITE is obviously too liberal)?

actually, there is now.  the below features will work in 6.9.5, released
just this week.

you will want to set something similar to the below in your condor_config.
this instructs the collector to have different allow lists for schedd and
startd advertisements:

  ALLOW_ADVERTISE_SCHEDD = submithost.foo.com
  ALLOW_ADVERTISE_STARTD = *.executehosts.foo.com


cheers,
-zach