[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows

can you determine from the class ad what user you are *going* to be.

Then access the credd and if credential is present switch to that user?

Can't recall how easy it is to access the credd from arbitrary code but you're system so you should have the necessary basic rights to do it...

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Chesal
Sent: 31 August 2009 20:13
To: Condor-Users Mail List
Subject: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows

Ahhhh...Windows. :)

My latest bit of head scratching with hooks on Windows comes in the form
of remote storage access. For years I've run, at each site, a Samba
server with a complete-open, read-only share for accessing my Condor
configuration files. This was done because it was found that when a
process owned by SYSTEM talks directly to our NAS it's always denied a
connection. Nothing on the NAS or the Windows side could be changed to
prevent this. But a wide-open Samba share was okay.

Now, it turns out, I need to mount a drive as part of my Windows hook
script. Or at the very least access a share with a UNC path. And I'm in
the same position. Because the hook scripts run as SYSTEM I have to go
through my Samba server and can't talk directly to my NAS. It's
manageable, but it would all be made easier if the hooks could be run in
the context of the user who will execute the jobs.

All my Windows jobs run using dedicated accounts. So if the hook for
slot 1 is running, Condor should be able to know that that job will run
as <domain>\batchuser1 -- a domain account reserved for running batch
jobs in slot 1 on any Windows machine in my system.

Alternately (and this could extend to Linux): it'd be cool to be able to
tell Condor which specific user(s) to use hook script execution outside
of the whole static-execution account infrastructure. Then users who use
the whole run-jobs-as-actual-users on Windows approach could run hooks
as specific users as well.

- Ian

Confidentiality Notice.
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution,  or copying  of this message, or any attachments, is strictly prohibited.  If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments.  Thank you.

Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: 

Gloucester Research Limited believes the information provided herein is reliable. While every care has been taken to ensure accuracy, the information is furnished to the recipients with no warranty as to the completeness and accuracy of its contents and on condition that any errors or omissions shall not be made the basis for any claim, demand or cause for action.
The information in this email is intended only for the named recipient.  If you are not the intended recipient please notify us immediately and do not copy, distribute or take action based on this e-mail.
All messages sent to and from this email address will be logged by Gloucester Research Ltd and are subject to archival storage, monitoring, review and disclosure.
Gloucester Research Limited, 5th Floor, Whittington House, 19-30 Alfred Place, London WC1E 7EA.
Gloucester Research Limited is a company registered in England and Wales with company number 04267560.