Project

General

Profile

Bug #2705

Non-privilege separation broke in v3+. Continue to support it?

Added by John Weigand over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Factory
Target version:
Start date:
05/16/2012
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

While testing the v3+ (master branch 5/15/12), I discovered that
the a non-privilege separation scenario was broken.

There appears to be some question as to the continued support
of a non-privilege separation use case in V3+. Before attempting
to resolve this problem, it would be helpful to know we are
continuing support for it.

If we are not, then we should modify those sections of the code to
prohibit its use.

If we are to continue support, the remainder of this issue
identifies where the error is occurring as best I can tell.

The changes that appear to be causing the problem appear to have been
introduced on 7/14/2011 with commit 670ee234a. It is these arguments
that are causing the problem with a non-privsep use case in the
submitGlideins method of glideFactoryLib.py

exe_env.append('GLIDEIN_RSL=%s' % glidein_rsl)
glidein_arguments += " -cluster $(Cluster) -subcluster $(Process)"
.. the above are added in the get_submit_environment method of the same
module.

For privilege separation, the glidein submit is done via the condor
switchboard and all is well.

For non-privilege separation, the glidein submit is done via..
- the setting of a set of environmental variables for which the
GLIDEIN_RSL has quoting problems when set to
GLIDEIN_RSL=(queue=default)(jobtype=single);
- then the execution of condor_submit using a set of arguments
These 2 arguments are causing shell errors:
-cluster $(Cluster) -subcluster $(Process)

John Weigand

History

#1 Updated by John Weigand over 7 years ago

  • Assignee set to Anthony Tiradani

Based on the glideinWMS meeting on 6/4 and feedback from Dennis,
this is still needed.

Assigned it to Tony because he basically made all the changes.
I just tested it in both privsep and non-privsep modes to validate.

It is working fine.

John Weigand

#2 Updated by Anthony Tiradani over 7 years ago

  • Status changed from New to Feedback

Commits that address this issue:
commit:925b7c590158158b4115fea40f6c138af98936af
commit:0d95c4454b3ff184ae082476f7997c576bd634eb
commit:e5bcbc65f042efd6b604f3bbfb8b6019e5f27fe9
commit:1f22273a503ba526abdba64db2c9c84b349ea031

The changes are:
1) a couple of pylint error fixes
2) some added logging used for debugging that made sense to keep
3) escaping characters that cause problems on the command line (non-privsep)
4) getting useful error messages back from condor_root_switchboard

Change #4 doesn't fix the issue but was necessary for testing the privsep case to ensure that we didn't break it with our changes.

#3 Updated by Anthony Tiradani over 7 years ago

  • Assignee changed from Anthony Tiradani to John Weigand

#4 Updated by John Weigand over 7 years ago

  • Status changed from Feedback to Resolved
  • Assignee changed from John Weigand to Anthony Tiradani

Tested both non-privilege separation and privilege separation
on 9/28/13. Both working fine.

Marking it as resolved and reassigning to Tony.

John Weigand

#5 Updated by Parag Mhashilkar over 6 years ago

  • Status changed from Resolved to Closed


Also available in: Atom PDF