Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Different groupids on submit host and execute node possible ?

Date: Fri, 29 Jul 2016 12:52:01 -0500
From: Brian Bockelman <bbockelm@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Different groupids on submit host and execute node possible ?

Hi Yves,

Hereâs what I would do if it were my site:
1) Write a small setuid program and add it to the USER_JOB_WRAPPER.  Have it pick from one of the available group names based on the group name in the ClassAd, then execute the program with the appropriate UID / GID.
  - Have the group name recorded at submit time.
  - I donât know what issues you ran into originally, but it should be able to get this to work reliably.

2) Engage with the HTCondor team for a longer-term solution.  Now is an opportune time.  They are currently working on the basic primitives for modeling group membership in HTCondor on the schedd side: it would make a ton of sense to think what group membership means on the execute side as well!

Brian

> On Jul 28, 2016, at 10:33 AM, Yves Kemp <yves.kemp@xxxxxxx> wrote:
> 
> Hi Brian,
> 
> the intended use is the following:
> We have many users that work in different projects.
> Each project has its own work-group-server where people develop code, test, and submit jobs.
> Each project also has its own NFS server/space where people within the project share files.
> 
> It has turned out that people are very bad at setting or changing appropriate group ownerships of their files.
> So, they write files, the files belong to their primary group, even if this is not the project they intended.
> We have tried the SETGID bit on filesystem level, but it turned out this did not work reliably.
> 
> We currently have a system where the primary group is set at login time via SSSD on the work-group-server. 
> The current batch system (still SoGE) takes the primary group id used at submit time to execute the job.
> 
> Best,
> 
> Yves
> 
>> On 27 Jul 2016, at 21:03, Brian Bockelman <bbockelm@xxxxxxxxxxx> wrote:
>> 
>> Hi Christoph,
>> 
>> I canât think of any clean HTCondor way to do this.  The GID is always taken from the worker node.
>> 
>> That said, you might be able to write a small executable with the CAP_SETGID file capability, then add this to your siteâs USER_JOB_WRAPPER.
>> 
>> Can you describe the use case a bit more?  We might be able to come up with a workaround that doesnât require this...
>> 
>> Brian
>> 
>>> On Jul 27, 2016, at 5:14 AM, Beyer, Christoph <christoph.beyer@xxxxxxx> wrote:
>>> 
>>> 
>>> Hi,
>>> 
>>> I am looking for a solution that will allow to ignore the primary gid of the jobowner on the executenode and use the 'active'/different gid the user had at submit time on the submit host. 
>>> 
>>> Is there a knob for that ? 
>>> 
>>> best regards
>>>      ~christoph
>>> 
>>> 
>>> -- 
>>> /*   Christoph Beyer     |   Office: Building 2b / 23     *\
>>> *   DESY                |    Phone: 040-8998-2317        *
>>> *   - IT -              |      Fax: 040-8994-2317        *
>>> \*   22603 Hamburg       |     http://www.desy.de         */
>>> _______________________________________________
>>> HTCondor-users mailing list
>>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>>> subject: Unsubscribe
>>> You can also unsubscribe by visiting
>>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>>> 
>>> The archives can be found at:
>>> https://lists.cs.wisc.edu/archive/htcondor-users/
>> 
>> 
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>> 
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/
> 
> # Dr. Yves Kemp
> # Desy IT  # room 2b/008 
> # Notkestr. 85 # D-22607 Hamburg
> # Fon: +49-(0)40-8998-2318 # Fax: +49-(0)40 8994-2318
> 
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

References:
- [HTCondor-users] Different groupids on submit host and execute node possible ?
  - From: Beyer, Christoph
- Re: [HTCondor-users] Different groupids on submit host and execute node possible ?
  - From: Brian Bockelman
- Re: [HTCondor-users] Different groupids on submit host and execute node possible ?
  - From: Yves Kemp

Prev by Date: Re: [HTCondor-users] host based authentication for condor_submit -remote
Next by Date: Re: [HTCondor-users] HTCondor daemons dying on SL7 worker nodes
Previous by thread: Re: [HTCondor-users] Different groupids on submit host and execute node possible ?
Next by thread: [HTCondor-users] persistency of generic ClassAds
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Different groupids on submit host and execute node possible ?