Re: [Condor-users] Access user registry

[Felix Wolfheimer <f.wolfheimer@xxxxxxxxxxxxxx>]

Have you tried using the load_profile = true setting instead?
---> Hm, I'm not sure how the load_profile can help in this case as it
creates a dedicated run account which obviously can't access the
registry where the credentials are stored (if I understood this section
in the manual correctly).

Are you submitting from the same machine that you execute on?
---> No, the users will preferably submit their jobs from their desktop
computers remotely to the dedicated scheduler of the cluster using
"condor_submit -remote". 

Does MPI need to be able to make changes to the registry and have them 
persist after the job exits?
---> Hm, MPI tries to read the credentials from the users registry which
must be stored there before with the "mpiexec -register" command. Now
when I run_as_owner I have no access to the HKCU registry and if I run
using load_profile I maybe could write something into the temporary
registry using a wrapper script but the credentials would then be send
in clear text which is probably more insecure than it would be to allow
a job access to the HKCU of the executing user ;-).   

A colleague of mine found out something more about the issue: If you set
the run_as_owner flag you have something like a HKCU of a default user
(not that one of your own account). If you have administrative rights on
the machine you can execute the "mpiexec -register" in your wrapper
script and register e.g. the credentials of a special MPI account. This
works. However, if the next user submits a job he needs to do the same
again because he cannot read the previously registered credentials even
with the highest admin rights you can get on Windows. So he needs to
register them again. 

I think that I'll try the option "load_profile" and create a dedicated
account used for MPI. The credentials of this account I'll give to all
users such that they can force mpiexec to write them to the temporary
registry using a wrapper and start the MPI jobs using this account. I
think that it is a bit weird because everyone has access to the MPI
account as a result but I see no other way around the problem. I'll let
you know if this approach works.

  

 

Am Mittwoch, den 09.03.2011, 14:11 -0600 schrieb Ziliang Guo:
> Have you tried using the load_profile = true setting instead?
> 
> On Wed, Mar 9, 2011 at 2:08 PM, Felix Wolfheimer
> <f.wolfheimer@xxxxxxxxxxxxxx> wrote:
>         I'm using Condor in a Windows environment and try to start a
>         software
>         which uses IntelMPI. IntelMPI (as other MPI implementations as
>         well)
>         needs to register user credentials which are stored somewhere
>         in the
>         HKCU registry (it has other more complicated methods of
>         authorization
>         using Windows Active Directory but let's say we want to keep
>         things
>         simple.). When I submit an MPI job using Condor with
>         RunAsOwner = True
>         it seems that I can't access my user registry even though the
>         job is
>         running using my account so the mpiexec always complains about
>         missing
>         credentials. Is there any known way to get around this (i.e.
>         load my
>         HKCU and access it when the job is started)?
>         
>         _______________________________________________
>         Condor-users mailing list
>         To unsubscribe, send a message to
>         condor-users-request@xxxxxxxxxxx with a
>         subject: Unsubscribe
>         You can also unsubscribe by visiting
>         https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>         
>         The archives can be found at:
>         https://lists.cs.wisc.edu/archive/condor-users/
> 
> 
> 
> -- 
> Condor Project Windows Developer
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/