Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Submitting the galaxy jobs as a predefined system user: using 'real_system_username' #4294
Up to now, there are two possible ways of specifying the real_system_username in galaxy.ini for submitting the jobs as the actual system user. This PR facilitates the third possible value which can be a name of the real system user who will run all the jobs being submitted. This user should not the user running the galaxy system.
I think this option is necessary, because jobs submitted as the same user running the galaxy system has full permissions over all the dataset files. Whereas, jobs submitted as real system user has an advantage that it requires only read access to all dataset files. Most of the galaxy servers (or atlease our system) do not have real system users matching galaxy user_email or username. This PR would of helpfull for these people if they feel insecure in running the jobs as galaxy's system user.
Looks good to me - thanks for the patch!
I think it would be better to setup Pulsar if this is a serious concern - you could get proper separation of the users and you could get much more structured access to the data. But I'm incredibly biased and the approach presented here seems totally viable.