[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows

Ahhhh...Windows. :)

My latest bit of head scratching with hooks on Windows comes in the form
of remote storage access. For years I've run, at each site, a Samba
server with a complete-open, read-only share for accessing my Condor
configuration files. This was done because it was found that when a
process owned by SYSTEM talks directly to our NAS it's always denied a
connection. Nothing on the NAS or the Windows side could be changed to
prevent this. But a wide-open Samba share was okay.

Now, it turns out, I need to mount a drive as part of my Windows hook
script. Or at the very least access a share with a UNC path. And I'm in
the same position. Because the hook scripts run as SYSTEM I have to go
through my Samba server and can't talk directly to my NAS. It's
manageable, but it would all be made easier if the hooks could be run in
the context of the user who will execute the jobs.

All my Windows jobs run using dedicated accounts. So if the hook for
slot 1 is running, Condor should be able to know that that job will run
as <domain>\batchuser1 -- a domain account reserved for running batch
jobs in slot 1 on any Windows machine in my system.

Alternately (and this could extend to Linux): it'd be cool to be able to
tell Condor which specific user(s) to use hook script execution outside
of the whole static-execution account infrastructure. Then users who use
the whole run-jobs-as-actual-users on Windows approach could run hooks
as specific users as well.

- Ian

Confidentiality Notice.
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution,  or copying  of this message, or any attachments, is strictly prohibited.  If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments.  Thank you.