Re: [HTCondor-users] CondorCE: recipe to react(?) on payload audit events

[Todd L Miller <tlmiller@xxxxxxxxxxx>]

> If I as a site admin could instead somewhat control a pilot's start 
> expression and inject cases like `x509UserProxyVOName =!= DN/FOO && 
> AuthTokenSubject =!= bababa-bababa` to block such payloads, that should be 
> equivalent to a a posteriori job removal, I guess.
> But how would one modify the pilot's own requirements??

	It seems like it would be easier to modify the pilot to allow 
modifications. ;)  Something like:


START = $(START) && USER_ALLOW_LIST
USER_ALLOW_LIST = userMap( allowedUserProxyVONames,
  TARGET.x509UserProxyVOName, "reject", "reject" ) == "allow"
    ||
  userMap( allowedAuthTokenSubject,
  TARGET.authTokenSubject, "reject", "reject" ) == "allow"

STARTD_CLASSAD_USER_MAP_NAMES = allowedUserProxyVONames, allowedAuthTokenSubject,
CLASSAD_USER_MAPFILE_allowedUserProxyVONames = /etc/pilot/allowedUserProxyVONames
CLASSAD_USER_MAPFILE_allowedAuthTokenSubject = /etc/pilot/allowedAuthTokenSubject


where the CLASSAD_USER_MAPFILE_* entries deliberately point to 
configuration files on local disk, that is, from the site admin, and not 
from the pilot.

- ToddM