Re: [Condor-users] Restricting access to particular groups of machines

[Matthew Farrellee <matt@xxxxxxxxxx>]

On 10/05/2011 11:25 AM, Ian Chesal wrote:
> On Wednesday, 5 October, 2011 at 11:21 AM, Matthew Farrellee wrote:
>
> > On 10/05/2011 10:57 AM, Ian Chesal wrote:
> > > On Wednesday, 5 October, 2011 at 10:41 AM, Rochford, Steve wrote:
> > > > We can be reasonably sure that if a machine is submitted from a maths
> > > > machine then it's being submitted by a maths student; can we somehow
> > > > make use of that fact to decide where the job will get run?
> > > You can force Condor to append requirements on to job submissions
> > > automatically. This prevents user circumvention and abuse. In your case:
> > >
> > > APPEND_REQUIREMENTS = MachineBelongsToGroup == "math_department"
> > >
> > > Just make sure that setting is made on machines where people from the
> > > math department are calling condor_submit and all their jobs will be
> > > tied to math department machines.
> > >
> > > See:
> > > http://www.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#19154
> > >
> > > For this to work, machines will need to advertise a
> > > MachineBelongsToGroup attribute like so:
> > >
> > > MachineBelongsToGroup = "math_department"
> > > STARTD_ATTRS = $(STARTD_ATTRS), MachineBelongsToGroup
> >
> > APPEND_REQUIREMENTS does *NOT* prevent user circumvention and abuse, by
> > at least two ways: 0) _CONDOR_APPEND_REQUIREMENTS=TRUE condor_submit; 1)
> > condor_qedit of Requirements after submit
> Good point.
>
> To the OP:
>
> Truly the only *real* way to keep things locked down in Condor is to run
> separate pools. For both suggestions I mentioned it's not hard to
> manipulate things to have jobs cross over to machines that aren't owned
> by the group.
>
> This kind of strict walls on machines that are in the same is not
> something Condor likes to do.

Erik posted some comments on condor-devel about how to move some of this 
trust into Condor.

Best,


matt