Re: [HTCondor-users] Give access to admin commands to non-root user

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

On 11/2/2022 2:24 PM, Todd L Miller via HTCondor-users wrote:

> > I want to give access to the queue
> >         commands (such as condor_rm) to some trusted users. I am using
> >         FS authentication, I have them listed as admins, and also in the
> >         QUEUE_SUPER_USER, but they are still unable to run condor_rm.
> >         Here is what my config looks like, I can't find much as far as
> >         what else may be needed. Any help would be appreciated:
> >         
> >       
>       
>           Is FS first in the list for your other
>       SEC_*_AUTHENTICATION_METHODS?  condor_rm will not usuall attempt
>       to authenticate at the ADMINISTRATOR level, so it's possible users
>       who run it are authenticating with some other method whose ID
>       isn't in your QUEUE_SUPER_USERS list.
>       
>       
>           Also, I looked at the manual, and it didn't specifically say
>       that wildcards were acceptable in QUEUE_SUPER_USERS, so maybe try
>       just `trusteduser` or maybe `trusteduser@uid_domain`.
>       
>       
>     
    
    ^^^ I think this is the problem -- QUEUE_SUPER_USERS currently does
    not accept wildcards.
    
    Since you mentioned you are using FS authentication, I think you
    could do the following to allow the user (non-root user) logged in
    as trusteduser to remove/hold/edit any job:
    
       QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) trusteduser
    
    and then of course do a condor_reconfig (or SIGHUP) as usual.
    
    regards,
    Todd