Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
That is very helpful, Thomas. Thanks for sharing. It does seem that we have a workable approach in mind, and there are lots of other ideas in your slides for consideration as well. From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of "Finnern, Thomas" <thomas.finnern@xxxxxxx> Hello Jacob, as far as I understand your request we are doing exactly what you need at DESY for about 1,5 k users. You may have a look at my slides from the htcondor workshop last year at RAL: We are filling htcondor user maps from ldap groups and with transforms on the schedulers we ensure the validity of a user request. Additionally we use a job wrapper on the workers to set the requested group as primary. Also the quota and share settings are based on job requirements and project groups. Cheers, Thomas From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx]
On Behalf Of Rundall, Jacob D (A) We're interested in allowing/denying submission of jobs based on the submitter/owner's membership in various LDAP groups. (B) We are also interested in tracking usage and (when necessary) limiting usage according to user- and group-based allocations. The allocations would exist in some kind of external source, most likely a database.
And access to both user- and group-based allocations should correspond with LDAP user identity and group membership, respectively. Users may need access to multiple group-based allocations. I have several questions: What approaches are there for goal in (A)? My understanding is that authorization in HTCondor (e.g., ALLOW_WRITE/DENY_WRITE) is based on users and machines, not groups (other than netgroups). We will likely
have several thousand users, so manually maintaining user-based configurations will not be practical. We could script the config, but is making HTCondor keep track of thousands of users in the ALLOW_WRITE macro a good idea? Am I missing anything obvious/simple? The use of accounting groups seems like the most common approach to goals similar to (B) and may assist in (A) as well. In particular, the AssignAccountingGroup configuration template seems like a useful tool
(ref1,
ref2; we could maintain a mapfile via scripting against LDAP). If the user has access to multiple allocations (e.g., user-based allocation and multiple group-based allocations), does this configuration allow them to choose their AccountingGroup and then
validate their response? Or does it simply assign a single AccountingGroup per user? And are there other approaches to (B) we should consider as well? Thanks much! |