Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] How to add new users
- Date: Mon, 12 Dec 2022 15:51:09 -0600
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] How to add new users
On 12/8/2022 4:23 PM, Matthew T West
via HTCondor-users wrote:
How exactly do new users get permission to submit jobs to the
queue, beyond being allowed on an Access Point?
Hi Matt,
Today, to be able to submit jobs, the user must have WRITE level
authorization to the schedd on the Access Point.
So when the user runs "condor_submit" (or uses the Python bindings),
condor_submit connects to the schedd and first perform
authentication using whatever authentication methods are configured
(filesystem [FS], IDTOKENS, etc). The identifier resulting from the
authentication gets mapped to an HTCSS user name, which must be in
the ALLOW_WRITE list and not in the DENY_WRITE list in the config
file on the AP. Details on this are here:
https://htcondor.readthedocs.io/en/latest/admin-manual/security.html
So the default configuration of HTCSS has
ALLOW_WRITE = *
meaning that any user that can successfully authenticate to the
schedd is authorized to submit jobs. Since "FS" (filesystem) is a
setup as an allowed authentication mechanism by default, any user
that can login to the AP is allowed to submit jobs.
If, for instance, you only wanted a subset of users that can login
to the AP server to be able to submit jobs, you could place the
following into the AP's HTCSS configuration:
ALLOW_WRITE =
matthew@$(UID_DOMAIN) \
todd@$(UID_DOMAIN)
The above says only users logged in to the AP server as "matthew" or
"todd" can submit.
You could keep the above in a separate file using the config file
'include' directives - see
https://htcondor.readthedocs.io/en/latest/admin-manual/introduction-to-configuration.html#including-configuration-from-elsewhere
You will have to perform a 'condor_reconfig' command as usual after
editing the config file.
As others have commented, we are currently looking at adding
persistent "user records" into the AP which will allow additional
configurations and limits per user.
Hope the above helps,
Todd