Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Submitting the galaxy jobs as a predefined system user: using 'real_system_username' #4294

Merged
merged 11 commits into from Jul 12, 2017

Conversation

Projects
None yet
7 participants
@ashvark
Copy link
Contributor

commented Jul 7, 2017

Up to now, there are two possible ways of specifying the real_system_username in galaxy.ini for submitting the jobs as the actual system user. This PR facilitates the third possible value which can be a name of the real system user who will run all the jobs being submitted. This user should not the user running the galaxy system.

I think this option is necessary, because jobs submitted as the same user running the galaxy system has full permissions over all the dataset files. Whereas, jobs submitted as real system user has an advantage that it requires only read access to all dataset files. Most of the galaxy servers (or atlease our system) do not have real system users matching galaxy user_email or username. This PR would of helpfull for these people if they feel insecure in running the jobs as galaxy's system user.

@natefoo @erasche We discussed this in gcc2017. Let me know your comments on this PR

martenson and others added some commits Oct 21, 2016

Merge pull request #3077 from galaxyproject/release_16.07
[master] bring master on par with release_16.07

@galaxybot galaxybot added the triage label Jul 7, 2017

@galaxybot galaxybot added this to the 17.09 milestone Jul 7, 2017

@@ -204,8 +204,12 @@ def system_user_pwent(self, real_system_username):
except KeyError:
pass
else:

This comment has been minimized.

Copy link
@bernt-matthias

bernt-matthias Jul 8, 2017

Contributor

I think you should test for real_system_username is not None, i.e. the else branch should be an elif branch. Or is this function never called if real_system_username is not configured? The default is None, isn't it?

This comment has been minimized.

Copy link
@ashvark

ashvark Jul 10, 2017

Author Contributor

@bernt-matthias I think the default value for 'real_system_username' is 'user_email'. This function 'system_user_pwent' is called only when 'external_runjob_script' is set in galaxy.ini. Do I still need to check for None ?

This comment has been minimized.

Copy link
@bernt-matthias

bernt-matthias Jul 10, 2017

Contributor

You are right.

@jmchilton

This comment has been minimized.

Copy link
Member

commented Jul 12, 2017

Looks good to me - thanks for the patch!

I think it would be better to setup Pulsar if this is a serious concern - you could get proper separation of the users and you could get much more structured access to the data. But I'm incredibly biased and the approach presented here seems totally viable.

@jmchilton jmchilton merged commit db486b5 into galaxyproject:dev Jul 12, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@martenson martenson added kind/enhancement and removed triage labels Oct 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.