Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Submitting different users jobs from the single remote user.
- Date: Fri, 21 Jun 2019 01:57:25 +0000
- From: "Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Submitting different users jobs from the single remote user.
Hi Sergey,
Some answers inline.
> On Jun 20, 2019, at 7:19 AM, Sergey A. Komissarov <sergey.komissarov@xxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> We are trying to build an application which submits jobs to the htcondor cluster.
> In our test setup we have docker containers in the same network, htcondor cluster
> with CentralManager, Submit and Execute instances sharing the same SHARED_PORT_PORT and CONDOR_HOST settings.
> And docker container with application server which uses htcondor python bindings without htcondor itself installed.
>
> I have two questions:
>
> 1) Which security model to choose?
> Application server and all htcondor services are in the trusted network, so I guess we may use something simple like
> HOST_BASED security and pool password authentication between condor services.
> And token or certificate authentication for the application server.
>
Probably pool password is the most reasonable choice here. If you're interested in new approaches, the "TOKEN" auth is of similar simplicity but provides more fine-grained auth. It is available starting HTCondor 8.9.2.
> 2) Is it possible to change job owner when it is submitted from the application server to htcondor?
> Application server is run under its own user but knows username and uid of the real job owner. All users which
> needs to start jobs have same names and uids in every docker container. May be we can use individual token for each user
> with unique identity?
>
This may be technically feasible, but there's a simpler approach -- you can mark the application server as a "queue superuser". See:
https://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html?highlight=queue_super_user_may_impersonate
If you set:
QUEUE_SUPER_USERS = apache
QUEUE_SUPER_USER_MAY_IMPERSONATE = joe|bob|frida
(the second config variable is a regex)
then the apache user will be allowed to impersonate users joe, bob, and frida. By "impersonate", we mean that it can set the Owner attribute in the submit object for python. That is,
sub["+Owner"] = "bob"
This will cause HTCondor to run the job as user "bob".
HTH,
Brian