[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] using LDAP groups for authorization and accounting/allocations



(A) We're interested in allowing/denying submission of jobs based on the submitter/owner's membership in various LDAP groups.

 

(B) We are also interested in tracking usage and (when necessary) limiting usage according to user- and group-based allocations. The allocations would exist in some kind of external source, most likely a database. And access to both user- and group-based allocations should correspond with LDAP user identity and group membership, respectively. Users may need access to multiple group-based allocations.

 

I have several questions:

 

What approaches are there for goal in (A)? My understanding is that authorization in HTCondor (e.g., ALLOW_WRITE/DENY_WRITE) is based on users and machines, not groups (other than netgroups). We will likely have several thousand users, so manually maintaining user-based configurations will not be practical. We could script the config, but is making HTCondor keep track of thousands of users in the ALLOW_WRITE macro a good idea? Am I missing anything obvious/simple?

 

The use of accounting groups seems like the most common approach to goals similar to (B) and may assist in (A) as well. In particular, the AssignAccountingGroup configuration template seems like a useful tool (ref1, ref2; we could maintain a mapfile via scripting against LDAP). If the user has access to multiple allocations (e.g., user-based allocation and multiple group-based allocations), does this configuration allow them to choose their AccountingGroup and then validate their response? Or does it simply assign a single AccountingGroup per user?

 

And are there other approaches to (B) we should consider as well?

 

Thanks much!