[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Restricting access to particular groups of machines

On 10/05/2011 11:25 AM, Ian Chesal wrote:

On Wednesday, 5 October, 2011 at 11:21 AM, Matthew Farrellee wrote:

On 10/05/2011 10:57 AM, Ian Chesal wrote:
On Wednesday, 5 October, 2011 at 10:41 AM, Rochford, Steve wrote:
We can be reasonably sure that if a machine is submitted from a maths
machine then it's being submitted by a maths student; can we somehow
make use of that fact to decide where the job will get run?
You can force Condor to append requirements on to job submissions
automatically. This prevents user circumvention and abuse. In your case:

APPEND_REQUIREMENTS = MachineBelongsToGroup == "math_department"

Just make sure that setting is made on machines where people from the
math department are calling condor_submit and all their jobs will be
tied to math department machines.


For this to work, machines will need to advertise a
MachineBelongsToGroup attribute like so:

MachineBelongsToGroup = "math_department"
STARTD_ATTRS = $(STARTD_ATTRS), MachineBelongsToGroup

APPEND_REQUIREMENTS does *NOT* prevent user circumvention and abuse, by
at least two ways: 0) _CONDOR_APPEND_REQUIREMENTS=TRUE condor_submit; 1)
condor_qedit of Requirements after submit
Good point.

To the OP:

Truly the only *real* way to keep things locked down in Condor is to run
separate pools. For both suggestions I mentioned it's not hard to
manipulate things to have jobs cross over to machines that aren't owned
by the group.

This kind of strict walls on machines that are in the same is not
something Condor likes to do.

Erik posted some comments on condor-devel about how to move some of this trust into Condor.