[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows

I was more thinking of lifting the code in the starter to grab the credentials and execute as the user (on the basis it would execute exactly as the condor running mode does).

the runas should work just fine if you don't want dynamic control (and will be much simpler) so go with that if it works for you...

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Ian Chesal
Sent: 01 September 2009 19:39
To: Condor-Users Mail List
Subject: Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows

> > can you determine from the class ad what user you are *going* to be.
> I can. My batch accounts are assigned per-slot. So slot 1
> implies UserA, slot 2 implies User2, etc.
> > Then access the credd and if credential is present switch to
> > that user?
> >
> > Can't recall how easy it is to access the credd from
> > arbitrary code but you're system so you should have the
> > necessary basic rights to do it...
> Interesting. It didn't occur to me you could use credd do to
> a user context switch like this. We're toying with runing a
> runas to spawn a sub-job that does the heavy lifting for the
> hook. But so far that's not working very well. And has the
> added annoyance of having to put the passwords for the
> headless accounts in plaintext.
> I'll look in to using the credd stuff. Thanks!

Matt, I cruised through the credd stuff in the 7.2.x manual. Everything
I read said the credd is only responsible for stashing passwords. It
doesn't do the execution-in-user-context stuff, it just supplies the
passwords to use. Have I read that wrong? I already know the account
passwords. It might save me putting the passwords out there in plaintext
I suppose. Mind you: I don't see a way to access the credd daemon
outside of a Condor binary.

So we're about to experiment with the following setup:

        HOOK_FETCH_WORK = firehook.bat

And in firehook.bat:

        runas /profile /user:foo@bar hookscript.bat

Which fires the real hook script as a user. Not sure it'll work yet, but
worth a shot. What we're not doing here is running as the same user
that'll run the job. We just picked one user and run all hook scripts as
that user. Not a big deal in my case since they're all equivalent users.
We may create an extra user just for hook script execution if this goes

- Ian

Confidentiality Notice.
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution,  or copying  of this message, or any attachments, is strictly prohibited.  If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments.  Thank you.

Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: 

Gloucester Research Limited believes the information provided herein is reliable. While every care has been taken to ensure accuracy, the information is furnished to the recipients with no warranty as to the completeness and accuracy of its contents and on condition that any errors or omissions shall not be made the basis for any claim, demand or cause for action.
The information in this email is intended only for the named recipient.  If you are not the intended recipient please notify us immediately and do not copy, distribute or take action based on this e-mail.
All messages sent to and from this email address will be logged by Gloucester Research Ltd and are subject to archival storage, monitoring, review and disclosure.
Gloucester Research Limited, 5th Floor, Whittington House, 19-30 Alfred Place, London WC1E 7EA.
Gloucester Research Limited is a company registered in England and Wales with company number 04267560.