Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] how to pass passwords to multiple condor_q commands
- Date: Tue, 22 Mar 2016 15:41:06 -0500
- From: Brian Bockelman <bbockelm@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] how to pass passwords to multiple condor_q commands
> On Mar 21, 2016, at 2:25 PM, Jose Caballero <jcaballero.hep@xxxxxxxxx> wrote:
>
> 2016-03-21 15:12 GMT-04:00 Zach Miller <zmiller@xxxxxxxxxxx>:
>> On 3/21/16, 1:32 PM, "HTCondor-users on behalf of Jose Caballero" <htcondor-users-bounces@xxxxxxxxxxx on behalf of jcaballero.hep@xxxxxxxxx> wrote:
>>> Hi,
>>>
>>> let's say I want to run, in parallel, several condor_q commands
>>> against different remote schedds, each one of them requiring different
>>> password.
>>
>> Are you talking about the Pool Password authentication mechanism? This method was not designed for end-users, just daemon-to-daemon authentication. (Or possibly running user tools as root)
>>
>> There is no way to pass the password itself. It is always read from a file (UNIX) or the registry (Windows) inside the authentication code. As such, the best you can do today is to have multiple files containing the various passwords and set a per-invocation environment variable:
>>
>> _CONDOR_SEC_PASSWORD_FILE=/home/world-readable-passwords/password-file1 condor_q ...
>>
>> Really, though, users should not be allowed to read or use the password files, and for your model I'd suggest you create an SSL cert that is accepted by each of the ScheddDs.
>>
>>
>> Cheers,
>> -zach
>>
>> _
>
>
> Hi Zach,
>
> The schedds are not under my control, so not easy to have a single SSL
> cert for all of them.
> So I guess the only way is, every time one of them is running, to lock
> the others to avoid mixing the _CONDOR_SEC_PASSWORD_FILE variables.
>
You can always use python multiprocessing and just set htcondor.config[âSEC_PASSWORD_FILEâ] variable as appropriate before invoking the Schedd.query method. As long as a single thread per process is doing a query, you should be set.
But, as Zach mentioned, this appears to be a fairly strange security setup. Please note that, over high latency links, PASSWORD-based security has a much larger impact on the schedd than using GSI as PASSWORD is blocking.
Brian