Re: [Condor-users] Restricting access to particular groups of machines

[Ian Chesal <ichesal@xxxxxxxxxxxxxxxxxx>]

On Wednesday, 5 October, 2011 at 10:41 AM, Rochford, Steve wrote:

We can be reasonably sure that if a machine is submitted from a maths machine then it's being submitted by a maths student; can we somehow make use of that fact to decide where the job will get run?

You can force Condor to append requirements on to job submissions automatically. This prevents user circumvention and abuse. In your case:

APPEND_REQUIREMENTS = MachineBelongsToGroup == "math_department"

Just make sure that setting is made on machines where people from the math department are calling condor_submit and all their jobs will be tied to math department machines.

See: http://www.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#19154

For this to work, machines will need to advertise a MachineBelongsToGroup attribute like so:

MachineBelongsToGroup = "math_department"

STARTD_ATTRS = $(STARTD_ATTRS), MachineBelongsToGroup

Optionally, you can have machines only accept jobs from certain schedulers. So if you have explicit control over the condor_schedd daemons you could set the START _expression_ on the math department machines to:

START = Queue == "hostname1" || Queued == "hostname2" …and so on…

This might be less arduous to maintain.

Those are just two ways to limit access to machines that come quickly to mind. You can also look at using groups and quotas so that user jobs can land any where, but total machine use doesn't exceed the number of CPUs contributed to the pool by the department.

Also consider separate pools if you really need to lock things down. Truly that's the only way to ensure no abuse can occur.

Regards,

- Ian

 

---

Ian Chesal

Cycle Computing, LLC

Leader in Open Compute Solutions for Clouds, Servers, and Desktops

Enterprise Condor Support and Management Tools

http://www.cyclecomputing.com

http://www.cyclecloud.com

http://twitter.com/cyclecomputing