[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job & (remote) DAG



Hi,

On 16 Jul 2025, at 15:47, Bockelman, Brian <BBockelman@xxxxxxxxxxxxx> wrote:

One messy area that's been a long time in cleaning up is the difference between the "Unix user" that the AP will use to read/write files for the job and the "Owner" of the job.  It's been assumed that the Unix user can be found by simply cutting out everything before the "@" and then, internally, things have occasionally used the user when they really meant to use the owner.

There's been quite a bit of cleaning up here.  At first blush, I might lean toward saying that v24 is doing the "right thing" because what v23 is doing is giving "someone else" (as defined by your config) SSH access to your job.

Greg, can you confirm?


In general, I strongly suggest the same "user" identifier to result regardless of what authentication method is used.  We tend to have subtle assumptions based on the identity not changingâ

I donât disagree, but we have forever had:

KERBEROS /^([^@\/]*)@(.*)$/ \1@\2
FS /(.*)/ \1@fsauth


Yup, just philosophizing in general.  However, it might be the culprit hereâ

But why if bejones@xxxxxxx is the authâd kerberos entity, and the UID_DOMAIN is cern.ch would bejones@xxxxxxx != bejones@fsauth