Subject: Re: [HTCondor-users] Setting policy using Linux Groups?
I know what you're getting at, as I've
dealt with this situation before.
Back when I was using my Perl qsub script
during the Grid Engine migration, one of the steps it took was to check
for membership in a Linux group which matched one of the names found in
the GROUP_NAMES config value, so someone in the "flighttest"
Linux group would have their jobs submitted with +AccountingGroup = "group_flighttest",
or after I upgraded from 7.x, accounting_group = "group_flighttest".
Of course, that's only possible if your
script is what's actually generating your submit description.
One might think of using a prepare_job
hook, but that won't do the trick because it only runs after the job is
matched, and that's too late - you need to set the accounting group before
the job runs so that it will be handled appropriately by the negotiator
when allocating resources.
To administratively put something into
a job submission, you have the SUBMIT_ATTRS directive, which specifies
attribute names which will be inserted into all job ClassAds. However the
trouble there is that the value of a configuration macro is only created
when the configuration is read, not each time a submission is made. You'd
want something that would run a script at submission time to check Linux
group membership to generate the appropriate accounting group, but from
what I can tell the only place that script output is read is at the "queue
in" syntax. And that's a good thing, for security reasons.
So you may be stuck simply insisting
that the users specify the appropriate accounting group in their submissions,
unless you want to go to the lengths of writing a wrapper for condor_submit
or aliasing in the shell to add an "-append" argument that runs
a suitable script.
I've found that it helps if you set
the default priority factor to something fairly high, so that people who
don't specify a group get a much smaller share of resources than those
who do. Depending on how ornery your users are you may also want to write
something to check to be sure they're using the appropriate groups by checking
their Linux group membership against their jobs' accounting groups.
Michael V. Pelletier
IT Program Execution