[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Restricting access to particular groups of machines

On 10/05/2011 10:57 AM, Ian Chesal wrote:
On Wednesday, 5 October, 2011 at 10:41 AM, Rochford, Steve wrote:
We can be reasonably sure that if a machine is submitted from a maths
machine then it's being submitted by a maths student; can we somehow
make use of that fact to decide where the job will get run?
You can force Condor to append requirements on to job submissions
automatically. This prevents user circumvention and abuse. In your case:

APPEND_REQUIREMENTS = MachineBelongsToGroup == "math_department"

Just make sure that setting is made on machines where people from the
math department are calling condor_submit and all their jobs will be
tied to math department machines.

See: http://www.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#19154

For this to work, machines will need to advertise a
MachineBelongsToGroup attribute like so:

MachineBelongsToGroup = "math_department"
STARTD_ATTRS = $(STARTD_ATTRS), MachineBelongsToGroup

APPEND_REQUIREMENTS does *NOT* prevent user circumvention and abuse, by at least two ways: 0) _CONDOR_APPEND_REQUIREMENTS=TRUE condor_submit; 1) condor_qedit of Requirements after submit