[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job & (remote) DAG



Hi Jaime,

Iâve looked through the config files for one of the bigbird machines and it looks like you could change the fsauth domain to cern.ch, both in the mapfile and in all of the ALLOW rules. It would not materially affect your security policy, since all of the mentions of fsauth include restricting the client to the local machine.

You mean in the mapfile changing:

FS /(.*)/ \1@fsauth

to I guess:
 
FS /(.*)/ \1@xxxxxxx@fsauth 

?

The ALLOW rules Iâm a bit dubious about, sinceâ 

Do you see a problem with making that change?

â Iâm not sure what the implication is of having root with an fsauth domain for instance (root@xxxxxxx is not the same as a uid 0 local account). I also donât really get why we canât condor_ssh_to_job as root on the AP to a running job of a user, or why a change in fsauth domain would solve that problem. I get I suppose why bejones@xxxxxxx might != bejones@fsauth (though, again, I thought UID_DOMAIN was for that), but I donât get what might be stopping root@fsauth doing a condor_ssh_to_job to a job owned by bejones or bejones@xxxxxxx when either itâs a queue super user or it isnât.

cheers,
Ben