Provide unique HTCondor users for each coffea-casa user

[oshadura]

Related to: #150

[bbockelm]

From the corresponding email thread, Brian's advice on configs:

IIRC, you must (a) set USER_IS_THE_NEW_OWNER = true in the schedd's condor_config and (b) ensure the setting of UID_DOMAIN is distinct from the domain in the generated subject in the token.

So, if UID_DOMAIN=unl.edu and my token claims I'm [email protected], then (with USER_IS_THE_NEW_OWNER):

1. The User attribute should remain [email protected]
2. The Owner should be set to nobody

• All jobs will therefore launch the condor_shadow as nobody and similarly the spool directory will be owned by nobody.

3. Access to modifying the jobs will be limited to [email protected]; someone coming in as [email protected] (even if they're mapped to Owner "nobody" as well) will not be able to condor_rm my jobs.

Discussion:

• This implies we'll need to change how we generate IDTOKENS (coffea-casa jupyter config).
• Can start by hand-generating a token, copy/pasting into the container, and trying to hand-submit to the schedd. Can even do this on T3.

[clundst]

If owner is set to nobody (which it appears is not the case) how will we have to modify our startds to start them as we use a number of owner. = stuff to steer jobs.

[kenbloom]

Waiting on Condor pull request that's under review.

[clundst]

I'm at a loss as to how to proceed on this task. Are tokens supposed to manage the usernames in queue? Confused

[oshadura]

@clundst is it still a valid issue?

[clundst]

This is almost solved, what I need (I think) is for the secret_creation_hook.py to assign condor_user to something unique for each user. Right now all the users are still cms-jovyan and able to kill of other cms-jovyan jobs. I can't try anything in the dev instance as condor is not working there.