Re: [HTCondor-users] jobs getting run as nobody

[Brian Bockelman <bbockelm@xxxxxxxxxxx>]

Hi Michael,

Just a thought - 

- Use the START _expression_ of the worker node to reject any job where RunAsOwner is false.  That works today in almost any version of HTCondor.

- You can use SUBMIT_REQUIREMENTS to enforce RunAsOwner to be set as true at submit time.

- 8.5.2 will have the concept of âimmutable attributesâ: attributes that can only be changed by the sysadmin.  This prevents further qedits post-submit.

Iâm sure you found it but hereâs the relevant section in the manual.

http://research.cs.wisc.edu/htcondor/manual/v8.5/3_6Security.html#SECTION004613200000000000000

Brian

On Feb 10, 2016, at 11:03 AM, Michael V Pelletier <Michael.V.Pelletier@xxxxxxxxxxxx> wrote:

From: John M Knoeller <johnkn@xxxxxxxxxxx>
Date: 02/10/2016 10:46 AM
 
> Did You have
> STARTER_ALLOW_RUNAS_OWNER = TRUE
> On the execute side?

Speaking of which, is there a "starter_REQUIRE_runas_owner" knob? Under classified information systems every action on a system must be accountable to the individual who took the action, and thus far that's been easiest to accomplish by having jobs on exec nodes run under the submitters' accounts.

I've been using a system periodic hold based on runas_owner=false in the job ClassAd to enforce that, but if there's an easier way I haven't found it yet.

        -Michael Pelletier. _______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/