[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] restrict usage to few executables

Matt Hope wrote:
On Mon, Mar 24, 2008 at 4:35 AM, Ian Chesal <ICHESAL@xxxxxxxxxx> wrote:
 I would like to forbide *some* users to send their own
 > executables and allow them just to run /usr/bin/exec1 and
 > /usr/local/bin/exec2.
 > Can I do that ?

 Offhand I can think of any feature in Condor that lets you control what
 users can do at this level of detail. Your best bet is to wrap access to
 pool in your own submission/authentication mechanism. Don't let users
 submit directly to your pool, have them submit through your own
 interface that applies its own security policy.

I second Ian's suggestion, but if you want something fast and nasty an
enforced job wrapper script which checks the executable, deletes any
transferred executable and redirects the arguments to a locally
installed (and with correct permission) executable that would do it.

BTW, you tell Condor about your job wrapper script by setting USER_JOB_WRAPPER in the condor_config file of your execute machines. See
for more details.