Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
On 01/12/2013 12:21 PM, Dimitri Maziuk wrote:
On 1/12/2013 6:26 AM, Matthew Farrellee wrote:I've had success with startd cron for advertising the contents of a cache, and highly recommend it over configuration changes.As I understand startd cron, you configure your nodes to periodically run a script that publishes custom attributes, and the way a regular
Yes, where you == administrator.
user would publish their custom attributes is by modifying the script. (Or am I missing something?)
No, the administrator needs to control the script. It should: gather | sanitize | publish. gather could be as simple as ls /thecache.
The script runs as condor (root) user, so security-wise this is worse than letting them 'sudo condor-reconfig' as now they can run anything as condor.
Security-wise giving the job owner the ability to change configuration on a node is equivalent to giving them a setuid-root script to run.
Either way, my point was that doesn't work when you're shipping (flocking, gliding) jobs off-site and have no control over execute nodes whatsoever.
If you are crossing administrative domains, neither solution will work without cross-organizational agreement. I expect you'll have a simpler time asking for a startd cron to be run than allowing jobs to alter node configuration.
Best, matt