[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] x509* job ClassAds not defined when SUBMIT_REQUIREMENT is evaluated? [8.6]

On Mar 13, 2017, at 1:59 PM, Todd Tannenbaum <tannenba@xxxxxxxxxxx> wrote:

On 3/13/2017 5:49 AM, Andrea Sartirana wrote:

we use to have SUBMIT_REQUIREMENT rules involving x509UserProxyVOName
For example, like this one

(x509UserProxyVOName =!= "cms")

for draining specific VO's.
This worked perfectly fine in 8.4 (I've double-checked downgrading our
pre-production instance)

After upgrading to 8.6 these rules are no longer working, the reason
being simply that the ClassAds x509* aren't defined yet at the moment of
the SUBMIT_REQUIREMENT evaluation.
This is not a big deal, we worked this around by defining custom
classads at job submission.
I was just wandering if this was expected (I cannot find it in the
release notes...).


Hi Andrea,

Thank you for reporting the above.  I am not the security expert, but I don't believe this is the expected behavior.  I suspect perhaps a regression occurred implementing this ticket for HTCondor v8.5.8 -


We will investigate.

Things changed in HTCondor 8.5.8 so that the X509 attributes in the job ad are set by the condor_schedd daemon to reflect the userâs proxy file. Previously, condor_submit set these attributes. But the attributes are set by the schedd after SUBMIT_REQUIREMENT evaluation. We should probably change it to occur before SUBMIT_REQUIREMENT.

Thanks and regards,
Jaime Frey
UW-Madison HTCondor Project