[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows
- Date: Tue, 1 Sep 2009 14:39:07 -0400
- From: Ian Chesal <ICHESAL@xxxxxxxxxx>
- Subject: Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows
> > can you determine from the class ad what user you are *going* to be.
> I can. My batch accounts are assigned per-slot. So slot 1
> implies UserA, slot 2 implies User2, etc.
> > Then access the credd and if credential is present switch to
> > that user?
> > Can't recall how easy it is to access the credd from
> > arbitrary code but you're system so you should have the
> > necessary basic rights to do it...
> Interesting. It didn't occur to me you could use credd do to
> a user context switch like this. We're toying with runing a
> runas to spawn a sub-job that does the heavy lifting for the
> hook. But so far that's not working very well. And has the
> added annoyance of having to put the passwords for the
> headless accounts in plaintext.
> I'll look in to using the credd stuff. Thanks!
Matt, I cruised through the credd stuff in the 7.2.x manual. Everything
I read said the credd is only responsible for stashing passwords. It
doesn't do the execution-in-user-context stuff, it just supplies the
passwords to use. Have I read that wrong? I already know the account
passwords. It might save me putting the passwords out there in plaintext
I suppose. Mind you: I don't see a way to access the credd daemon
outside of a Condor binary.
So we're about to experiment with the following setup:
HOOK_FETCH_WORK = firehook.bat
And in firehook.bat:
runas /profile /user:foo@bar hookscript.bat
Which fires the real hook script as a user. Not sure it'll work yet, but
worth a shot. What we're not doing here is running as the same user
that'll run the job. We just picked one user and run all hook scripts as
that user. Not a big deal in my case since they're all equivalent users.
We may create an extra user just for hook script execution if this goes
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, or copying of this message, or any attachments, is strictly prohibited. If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments. Thank you.