Dear John,
HTCondor will not provide you a way to get around the OS and impersonate a user you could not impersonate otherwise.
As far as I see, it is not completely true. Usage of settings QUEUE_SUPER_USERS, QUEUE_SUPER_USER_MAY_IMPERSONATE allows exactly what you are saying. So HT Condor does allow some users (explicitly marked as queue super users in the configuration) to impersonate some other users (again, explicitly enlisted in the configuration). But if I get you correctly that is not the case for the COD jobs, and this will not be implemented by some conceptual reasons.
You need to Impersonate the user before you call the HTCondor python bindings to start the job. then you need to set the Owner field of the job to match the user that you are impersonating.
That is understood, but this is not the case for us. The service which submits the job shall not run under user which has system rights to impersonate other users, it would be a security breach. Moreover, we do not have cluster users on the host where our web-service is running.
Anyway, thank you, for explanation. We then probably shall stick to vanilla universe jobs (where we can impersonate cluster users) even for the interactive jobs.
All the best, Alexander A. Prokhorov
You need to Impersonate the user before you call the HTCondor python bindings to start the job. then you need to set the Owner field of the job to match the user that you are impersonating. HTCondor will not provide you a way to get around the OS and impersonate a user you could not impersonate otherwise. -tj Hello,
Yes, I set QUEUE_SUPER_USER_MAY_IMPERSONATE, QUEUE_SUPER_USERS and VALID_COD_USERS settings, but it doesn't solve the problem. As I can see, QUEUE_SUPER_USER_MAY_IMPERSONATE does not affect COD jobs, and 'user101' can't pretend to be 'rootuser'. I read in the documentation https://htcondor.readthedocs.io/en/latest/misc-concepts/computing-on-demand.html#cod-application-attributes: "If the condor_startd daemon is executing as root on the resource where a COD application will run, the user must also define 'Owner' to specify what user name the application will run as." But I see that no value of 'Owner' works, all of them lead to an error, except "rootuser" or missing value. So I do not understand the documentation and it looks like the 'Owner' field is not working or does not make sense. (The error is 'Error: Owner specified in ClassAd as 'user101' yet request sent by user 'rootusr', possible security attack, request refused!') How can I get around this error to impersonate users for the case of COD jobs? I think this is what QUEUE_SUPER_USER_MAY_IMPERSONATE (https://htcondor.readthedocs.io/en/stable/admin-manual/configuration-macros.html) is for. -Mat On 8/9/19 3:40 AM, Alexander Prokhorov wrote: Dear John, Is it possible to overcome this limitation somehow? Actually, we are building and app which uses HT Condor as a calculation runtime and all appâs services (read HT Condo clients) always run from a single user âserverâ. We need to somehow impersonate real cluster users when we do requests to HT Condor. We succeeded in this with vanilla and universe jobs. Isnât this possible with COD tasks?
You must set the Owner attribute to the same username that your python script is running as, anything else would be a security violation I am using python API for COD jobs and simple example is:
claim = htcondor.Claim(slot_ad)
claim.requestCOD()
job = {
"Cmd": "/bin/echo",
"JobUniverse": 5,
"Iwd": "/some/dir",
"Out": "test.out",
"Err": "test.err",
"StarterUserLog": "test.log",
"Owner": "user101",
"Args": "hello world",
}
claim.activate(job) After that I get the following error (from `htcondor.enable_debug()`): ``` 08/08/19 15:39:29 (fd:4) (pid:6314) (D_HOSTNAME) IsLocal: N, IdStr: startd at < 192.168.128.6:9618>, Error: Owner specified in ClassAd as 'user101' yet request sent by user 'rootusr', possible security attack, request refused! ``` How can I make a cod-job run from a specific user? If I cannot make activation from another user, what is the effect of the `Owner` attribute?
My settings:
QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) rootusr
VALID_COD_USERS = $(QUEUE_SUPER_USERS)
_______________________________________________ HTCondor-users mailing list To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a subject: Unsubscribe You can also unsubscribe by visiting https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users The archives can be found at: https://lists.cs.wisc.edu/archive/htcondor-users/
--
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}