Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Give access to admin commands to non-root user

Hmm, ok so using just âtrusteduserâ indeed did work, but what also did not work was using trusteduser@xxxxxxxxxxxx where the Illinois.edu domain was specified as the UID_DOMAIN. I had that before, and when that wasnât working, was when I tried the wildcard for the domain.

 

This does make sense I guess if FS auth just looks at the owner of a file it writes, the uid_domain would not show up there, so trying to match on the UID domain with FS might not work as expected? Itâs also possible there is some more intelligence behind that process though, Iâll let someone smarter than me determine the truth of that.

 

Also, after digging, I found the section on QUEUE_SUPER_USERS in the manual. Searching for that string did not find it in the Config Macros section of the admin manual.

 

Thanks for the help all!

-------------------------------------

Gianni Pezzarossi

Computational System Analyst

Research Services

Engineering IT Shared Services

University of Illinois @ Urbana-Champaign

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Todd Tannenbaum via HTCondor-users
Sent: Wednesday, November 2, 2022 2:52 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Give access to admin commands to non-root user

 

On 11/2/2022 2:24 PM, Todd L Miller via HTCondor-users wrote:

I want to give access to the queue commands (such as condor_rm) to some trusted users. I am using FS authentication, I have them listed as admins, and also in the QUEUE_SUPER_USER, but they are still unable to run condor_rm. Here is what my config looks like, I can't find much as far as what else may be needed. Any help would be appreciated:


    Is FS first in the list for your other SEC_*_AUTHENTICATION_METHODS?  condor_rm will not usuall attempt to authenticate at the ADMINISTRATOR level, so it's possible users who run it are authenticating with some other method whose ID isn't in your QUEUE_SUPER_USERS list.

    Also, I looked at the manual, and it didn't specifically say that wildcards were acceptable in QUEUE_SUPER_USERS, so maybe try just `trusteduser` or maybe `trusteduser@uid_domain`.


^^^ I think this is the problem -- QUEUE_SUPER_USERS currently does not accept wildcards.

Since you mentioned you are using FS authentication, I think you could do the following to allow the user (non-root user) logged in as trusteduser to remove/hold/edit any job:

   QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) trusteduser

and then of course do a condor_reconfig (or SIGHUP) as usual.

regards,
Todd