On
3/13/2017 5:49 AM, Andrea Sartirana wrote:
Hi,
we use to have SUBMIT_REQUIREMENT rules involving x509UserProxyVOName
classAd.
For example, like this one
(x509UserProxyVOName =!= "cms")
for draining specific VO's.
This worked perfectly fine in 8.4 (I've double-checked downgrading our
pre-production instance)
After upgrading to 8.6 these rules are no longer working, the reason
being simply that the ClassAds x509* aren't defined yet at the moment of
the SUBMIT_REQUIREMENT evaluation.
This is not a big deal, we worked this around by defining custom
classads at job submission.
I was just wandering if this was expected (I cannot find it in the
release notes...).
Regards,
Andrea
Hi
Andrea,
Thank
you for reporting the above. I am not the security expert, but I don't believe this is the expected behavior. I suspect perhaps a regression occurred implementing this ticket for HTCondor v8.5.8 -
https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=5064
We
will investigate.
Things changed in HTCondor 8.5.8 so that the X509 attributes in the job ad are set by the condor_schedd daemon to reflect the userâs proxy file. Previously, condor_submit set these attributes. But the attributes are set by the schedd after SUBMIT_REQUIREMENT
evaluation. We should probably change it to occur before SUBMIT_REQUIREMENT.
Thanks and regards,
Jaime Frey
UW-Madison HTCondor Project
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}