3/13/2017 5:49 AM, Andrea Sartirana wrote:
you for reporting the above. I am not the security expert, but I don't believe this is the expected behavior. I suspect perhaps a regression occurred implementing this ticket for HTCondor v8.5.8 -
we use to have SUBMIT_REQUIREMENT rules involving x509UserProxyVOName
For example, like this one
(x509UserProxyVOName =!= "cms")
for draining specific VO's.
This worked perfectly fine in 8.4 (I've double-checked downgrading our
After upgrading to 8.6 these rules are no longer working, the reason
being simply that the ClassAds x509* aren't defined yet at the moment of
the SUBMIT_REQUIREMENT evaluation.
This is not a big deal, we worked this around by defining custom
classads at job submission.
I was just wandering if this was expected (I cannot find it in the
Things changed in HTCondor 8.5.8 so that the X509 attributes in the job ad are set by the condor_schedd daemon to reflect the userâs proxy file. Previously, condor_submit set these attributes. But the attributes are set by the schedd after SUBMIT_REQUIREMENT
evaluation. We should probably change it to occur before SUBMIT_REQUIREMENT.
Thanks and regards,
UW-Madison HTCondor Project