On Jul 16, 2025, at 10:25âAM, Greg Thain via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
One
messy area that's been a long time in cleaning up is the difference between the "Unix user" that the AP will use to read/write files for the job and the "Owner" of the job. It's been assumed that the Unix user can be found by simply cutting out everything
before the "@" and then, internally, things have occasionally used the user when they really meant to use the owner.
There's
been quite a bit of cleaning up here. At first blush, I might lean toward saying that v24 is doing the "right thing" because what v23 is doing is giving "someone else" (as defined by your config) SSH access to your job.
Greg,
can you confirm?
This is correct, in V23 (and earlier), the owner check in the schedd ignored everything after the '@' sign. I'm thinking this also impacts "condor_qedit", "condor_rm" and other tools.
Iâve looked through the config files for one of the bigbird machines and it looks like you could change the fsauth domain to
cern.ch, both in the mapfile and in all of the ALLOW rules. It would not materially affect your security policy, since all of the mentions of fsauth include restricting the client to the local machine. Do you see a problem with making that change?
- Jaime
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}