[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor_RM - QUEUE_SUPER_USERS

On Monday, 5 September, 2011 at 8:46 AM, Sassy Natan wrote:
Bingo! Thanks Man

This was change because I'm using also CycleServer

Thanks Again :-)
That's been our recommended setting for accessing Condor via the SOAP API since the 7.2.x days when the API's user authentication wasn't behaving well for our customers. It's been generally safe for installations where Condor is deployed behind corporate firewalls.

You can secure things a bit by removing access to the Condor binaries for all your users once CycleServer is deployed. With CycleServer in place for submissions and job control, the only users who need access to the Condor binaries are the user that CycleServer runs as and the user that Condor runs as. Human users can go through the CycleServer interface to remove, hold and release their jobs and CycleServer will do its own level of authentication and permission checking before executing any commands on behalf of a user.

If this isn't sufficient for your needs you can use:

QUEUE_SUPER_USERS = <user that CycleServer is running as>

And set CycleServer to do submissions using the 'condor_submit -remote' command line interface instead of via the SOAP API. This is slightly more secure.

To switch CycleServer from SOAP to command line submissions you go to Admin -> System Settings. At the bottom of this page click the 'All' link in the lower left corner to show all the system settings for this CycleServer instance. Find the property 'Condor interface method' (you can use the Filter box on the table to narrow it down) and double click on it to edit the property. Change it from 'automatic' or 'soap' to 'cmdLine'. Save the changes and then restart CycleServer.

CycleServer will be using the -remote option on condor_submit to send jobs to your schedulers. You'll need to understand how this changes how your jobs are handled by the scheduler and adjust your submission tickets accordingly. To see how this changes your submissions try submitting some tickets by hand using the 'condor_submit -remote' command.

And finally, there's a new feature in the Condor Agent project that allows for proxy submissions via its HTTP REST interface to a scheduler. You can download the binaries and source code for the Condor Agent from github: https://github.com/cyclecomputing/condor-agent -- it's a beta feature at this point in time. It needs some documentation written for it. I'll get the README file for the project updated this week with information about how to setup for proxy submissions with Condor Agent. It gets around some of the challenges that the -remote option on condor_submit can introduce to some environments by making everything a local submission on the machine where the scheduler is running.

If you have any questions about configuring CycleServer with your system or about CycleServer behaviour in general please don't hesitate to email me or post in our forums at http://www.cyclecomputing.com/forums/

- Ian

Ian Chesal

Cycle Computing, LLC
Leader in Open Compute Solutions for Clouds, Servers, and Desktops
Enterprise Condor Support and Management Tools