[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Restricting access to particular groups of machines

On Wednesday, 5 October, 2011 at 11:21 AM, Matthew Farrellee wrote:

On 10/05/2011 10:57 AM, Ian Chesal wrote:
On Wednesday, 5 October, 2011 at 10:41 AM, Rochford, Steve wrote:
We can be reasonably sure that if a machine is submitted from a maths
machine then it's being submitted by a maths student; can we somehow
make use of that fact to decide where the job will get run?
You can force Condor to append requirements on to job submissions
automatically. This prevents user circumvention and abuse. In your case:

APPEND_REQUIREMENTS = MachineBelongsToGroup == "math_department"

Just make sure that setting is made on machines where people from the
math department are calling condor_submit and all their jobs will be
tied to math department machines.

See: http://www.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#19154

For this to work, machines will need to advertise a
MachineBelongsToGroup attribute like so:

MachineBelongsToGroup = "math_department"
STARTD_ATTRS = $(STARTD_ATTRS), MachineBelongsToGroup

APPEND_REQUIREMENTS does *NOT* prevent user circumvention and abuse, by
at least two ways: 0) _CONDOR_APPEND_REQUIREMENTS=TRUE condor_submit; 1)
condor_qedit of Requirements after submit
Good point.

To the OP:

Truly the only *real* way to keep things locked down in Condor is to run separate pools. For both suggestions I mentioned it's not hard to manipulate things to have jobs cross over to machines that aren't owned by the group.

This kind of strict walls on machines that are in the same is not something Condor likes to do.

It encourages people to think less about owning resources and more about contributing fractions. In particular, group quotas are all about the fractional contributions.

- Ian

Ian Chesal

Cycle Computing, LLC
Leader in Open Compute Solutions for Clouds, Servers, and Desktops
Enterprise Condor Support and Management Tools