Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

superusers are also queue superusers #600

Closed
wants to merge 1 commit into from
Closed

superusers are also queue superusers #600

wants to merge 1 commit into from

Conversation

maxfischer2781
Copy link
Contributor

This PR fixes the permissions of the root and condor users for queue commands.

Currently, QUEUE_SUPER_USERS = condor, root lacks a domain so the UID_DOMAIN = users.htcondor.org is implied. However, the default mapping for local root/condor users uses the domain daemon.htcondor.org instead. As such, root is not allowed to perform administrative queue commands such as condor_ce_rm.

@maxfischer2781 maxfischer2781 marked this pull request as draft April 5, 2024 14:14
@maxfischer2781
Copy link
Contributor Author

maxfischer2781 commented Apr 5, 2024
edited
Loading

I've just traced back why the change occurred, since it did not appear on a v5.1.6 CE but on a new v23 CE even though both tags include the mapfile. The mapfile is only installed with the client tools which we do have on the new CEs (for local automated testing) but not the older ones.
So root/condor get mapped differently depending on what other packages are installed. Consequently, different QUEUE_SUPER_USERS are needed depending on the situation. This PR isn't sufficient to address that.

I think it's not too unusual to have the client installed on a CE, since it is recommended for troubleshooting. So ideally the mapping should be the same both with and without the client installed.

Would you be fine with moving the mapfile to the regular installation as well? Otherwise I would recommend removing it completely and keeping the old QUEUE_SUPER_USERS to avoid the conflict from installing the client.

@maxfischer2781 maxfischer2781 marked this pull request as ready for review April 12, 2024 07:37
@maxfischer2781
Copy link
Contributor Author

Sorry for the rambling. The client is always installed with the CE and always has been. I've just double-checked and the issue also occurs on our older machines, we just always interacted with the LRMS instead of CE queue.

@JaimeFrey
Copy link
Member

I'm surprised this change works. The QUEUE_SUPER_USERS parameter doesn't support a /$(FULL_HOSTNAME) at the end of entries.
It seems like we could just get rid of the 50-common-default.conf mapfile from the client package.

@maxfischer2781
Copy link
Contributor Author

maxfischer2781 commented Apr 13, 2024
edited
Loading

You are right, that would probably be better. I'm closing this PR, this has been the status quo for long enough that it doesn't need a hasty fix.

@JaimeFrey
Copy link
Member

I'm planning an overhaul and cleanup of the CE configuration. I don't known when it'll happen, but I'll make sure this is included in that effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaimeFrey JaimeFrey Awaiting requested review from JaimeFrey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maxfischer2781 @JaimeFrey