 |
 |
Hi Winnie, My view is that it doesn't matter at all, as long as you have a reliable way of working out what DNs are associated with jobs on worker nodes (and probably also the associated grid job ids) so that in the event of a "security issue" you can trace jobs backs to their owner. Note that you can't really rely on the x509* attributes in condor unless you're using 8.6.x or above and declare these attributes to be immutable (if you don't do this users can modify this information). The use of pool accounts is a remnant of Torque/PBS batch systems in the 1990's where the only way of isolating jobs was for them to have different uids and there were no other means by which information about the jobs' owners could be tracked :-) Regards, Andrew. ________________________________________ From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of Winnie Lacesso [[log in to unmask]] Sent: Friday, June 02, 2017 10:10 AM To: [log in to unmask] Subject: Pool account UIDs/GIDs Happy Friday! In progress to add pool accounts for some new VOs to support, it turns out on examination that pool account UIDs & GIDs differ pretty significantly from CE to WN & that diff WN have diff pool accounts mapped to same UID. Eg it turns out what are cmspil accounts on WN are a mix of cmspil & ngs (!) pool accounts on other WN, & are all ngs (!) pool accounts on Bristol's only CE. But the site isn't "broken" - seems fine (I think!) (touch wood!) Either what UID/GID a pool account has really must not matter at all - Is that true? After all, the gridmapdir which is NFS-mounted to all nodes from ARGUS uses only pool account name - not UID. I think it is true but seek confirm. Or, it does matter & it's just chance that the UID inconsistency across nodes hasn't bitten Bristol yet. I've looked in my email archives & find mail from 2009 or so saying things like "These are the UID/GIDs that should be used across all nodes at our site" and "> So all those pool accounts must remain the same UID/GIDs, is that > right? Yes, that's important." Grateful for advice! (even moreso for WLCG documentation about this? Is there any?)