[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] restrict usage to few executables
- Date: Tue, 25 Mar 2008 06:31:48 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [Condor-users] restrict usage to few executables
Matt Hope wrote:
On Mon, Mar 24, 2008 at 4:35 AM, Ian Chesal <ICHESAL@xxxxxxxxxx> wrote:
I would like to forbide *some* users to send their own
> executables and allow them just to run /usr/bin/exec1 and
> Can I do that ?
Offhand I can think of any feature in Condor that lets you control what
users can do at this level of detail. Your best bet is to wrap access to
pool in your own submission/authentication mechanism. Don't let users
submit directly to your pool, have them submit through your own
interface that applies its own security policy.
I second Ian's suggestion, but if you want something fast and nasty an
enforced job wrapper script which checks the executable, deletes any
transferred executable and redirects the arguments to a locally
installed (and with correct permission) executable that would do it.
BTW, you tell Condor about your job wrapper script by setting
USER_JOB_WRAPPER in the condor_config file of your execute machines. See
for more details.