[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] rights delegation

Hi Daniel,

The authorization system of HTCondor daemons tends to allow a particular set of entities to be authorized per resource (such as setting fairshare settings); while each resource can be configured individually, I can't think of any case where the resources can be subdivided / delegated.

That's a vague response.  A few concrete examples based on questions you ask:
- Configuration settings: HTCondor processes all directories specified by the LOCAL_CONFIG_DIR list, then LOCAL_CONFIG_FILE.  You could probably have one config.d directory for "global" admins which overrides the one set by the "local" admins.  You could then use local unix permissions to prevent the local admins from overriding the global admin config.
  - If your local admins are actually root, then you already trust them - and can just each carve out your own "namespace" in the LOCAL_CONFIG_DIR directory.
- I can't think of any way to have admins "share" parts of the fairshare settings.  *However*,
  - Fairshare settings can be controlled via python-bindings in 8.1.x; it shouldn't take too much effort to build a python web app which enforces an external access policy.
- Typically, the schedd is configured to rely on FS authentication.  That is, if the user has a local unix login, they are mapped to that user name in HTCondor.
  - Other security methods can be used; HTCondor can utilize GSI or Kerberos to get authentication.
  - In the 8.0 series, you specify the super-users (those people who are allowed to manage other's jobs; defaults to 'root' and 'condor') and allowed users either via a whitelist (Alice, Bob, Brian) or wildcard.  In 8.1.2 (or so - not released), you can use netgroups so all people in a given group can admin your cluster.
    - So, you can say "group foo can administer jobs in this schedd; groups bar and baz can submit jobs".  Again, this is not yet released in the wild; just my reading of https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=3859.

Not exactly a squeaky clean, consistent picture.  But that should get you started!


On Oct 15, 2013, at 4:13 AM, Pek Daniel <pekdaniel@xxxxxxxxx> wrote:

> Hi,
> Is there any existing solution for managing/delegating access rights
> to different configuration settings, and making possible for different
> admins of groups or subgroups to manage their groups, like adding new
> users, new subgroups, subgroup-admins, changing fairshare settings on
> the subgroups and users, and doing this in a hierarchical way?
> Thanks,
> Daniel
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/