OK..I found a way to allow users to submit as a real users without using CHOWN... I did this by: 1) Tweaking the script external_chown_script.py by simply commenting out the chown statements (see below) 2) Making sure the users are in the same group 3) Setting the umask to 0002 to make all files svcgalaxy produces writeable by the same group (Dangerous, but I trust my users not to mess with the files directly) 4) Add the script "scripts/external_chown_script.py" to the list of allowable SUDO scripts, since that script will also be executed by sudo (Sudo section now looks like this) svcgalaxy ALL=(ALL) ALL svcgalaxy ALL = (root) NOPASSWD: SETENV: /mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/drmaa_external_runner.py svcgalaxy ALL = (root) NOPASSWD: SETENV: /mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/drmaa_external_killer.py svcgalaxy ALL = (root) NOPASSWD: SETENV: /mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/external_chown_script.py 5 (OPTIONAL) I even left the default setting for the outputs_to_working_directory set to FALSE since I hate to lose the option to be able to see the progress of a running job by clicking the eye icon to see the log file fill up Here's the tweak to external_chown_script.py... def main(): path, galaxy_user_name, gid = validate_paramters() #os.system('chown -Rh %s %s' %(galaxy_user_name, path)) #os.system('chgrp -Rh %s %s' %(gid, path)) I could have dispensed with the script completely ofcourse and simply have main return 0, but this way I remember to someday find a better solution..... But for now I am saved and have a nice system that informs the users the progress of their own jobs with qstat... This may not work for everyone, but for a small group of trustworthy users, this is a passable way to allow jobs to be submitted as real users.. Thon -----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Thon de Boer Sent: Thursday, February 21, 2013 11:08 PM To: 'Nate Coraor' Cc: 'Galaxy-dev Galaxy-dev' Subject: Re: [galaxy-dev] Submitting jobs as a real user without using chown, please OK...I think I can make this work, since it is not that difficult to make a directory world writeable...Or at least group writeable since all the users that will be able to run galaxy are in the same group as svcgalaxy that runs galaxy...I'll look at those scripts and see what they need to do... Thanks Thon -----Original Message----- From: Nate Coraor [mailto:nate@bx.psu.edu] Sent: Thursday, February 21, 2013 5:56 AM To: Anthonius deBoer Cc: 'Galaxy-dev Galaxy-dev' Subject: Re: [galaxy-dev] Submitting jobs as a real user without using chown, please On Feb 20, 2013, at 2:37 PM, Anthonius deBoer wrote:
Ah...Found what root squashing is and yes, that is turned on our isilon system...
So out of luck I take it? We need to chown? we cannot fake the submission name in another way ;)
Galaxy must have a way to make the job working directory writable for the user that the job is running as. If this means logging in to another system via ssh that *does* have the ability to change ownership, then you can do that. The method is completely customizable because you can set the chown script to anything that works for you. However, some means of doing this that is appropriate for your environment has to exist for Galaxy to perform it. That said, you might be able to get away with having the script make the working directory world-writeable instead of owned by the real user. --nate
Thanks
Thon
On Feb 20, 2013, at 10:32 AM, Anthonius deBoer <thondeboer@me.com> wrote:
I cannot run chown even as a sudo command...Same error... What is root squashing? I am reading on the internet that it is very
common not to allow users to change the ownership of files...
Thon On Feb 20, 2013, at 05:52 AM, Nate Coraor <nate@bx.psu.edu> wrote:
On Feb 19, 2013, at 11:02 PM, Thon de Boer wrote:
Hi,
I am trying to setup my galaxy system to allow jobs to be submitted as the real user, since people want to keep an eye on their job on the cluster sometimes and they have no ideas which ones are theirs.
I tried the approach on the wiki here:
http://wiki.galaxyproject.org/Admin/Config/Performance/Cluster?hig hlight=%28submit%29%7C%28jobs%29%7C%28as%29%7C%28user%29#Submittin g_Jobs_as_the_Real_User
but unfortunately, the CHOWN command is not allowed, not even as a sudo user. Probably has to do with the fact that we run our cluster from an isilon system, which I assume is pretty typical.
The job was actually successfully submitted as the intended user, so that part works, but if we can just get it to work without having to rely on chown that would be awesome.
Can someone point me in the right direction?
Hi Thon,
If you run the command from the command line, what results do you get?
/usr/bin/sudo -E scripts/external_chown_script.py /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directo ry/000/148 svcgalaxy 10000
Note that external_chown_script.py can be modified as necessary to allow
you to change ownership in whatever way is appropriate for your site. Since it should just be an NFS mount, as long as root squashing is not enabled and your svcgalaxy user has sudo permission to run this script, it should succeed.
--nate
Here's the error.
galaxy.jobs.runners.local DEBUG 2013-02-19 19:35:31,524 execution of external set_meta for job 148 finished galaxy.jobs DEBUG 2013-02-19 19:35:31,576 (148) Changing ownership of working directory with: /usr/bin/sudo -E scripts/external_chown_script.py
/mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directory/000/1 48 svcgalaxy 10000 galaxy.jobs ERROR 2013-02-19 19:35:31,653 (148) Failed to change ownership of /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directory/000/1 48, failing Traceback (most recent call last):
File "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__. py", line 343, in finish self.reclaim_ownership() File "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__. py", line 916, in reclaim_ownership self._change_ownership( self.galaxy_system_pwent[0], str( self.galaxy_system_pwent[3] ) ) File "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__. py", line 902, in _change_ownership assert p.returncode == 0 AssertionError galaxy.jobs DEBUG 2013-02-19 19:35:31,722 fail(): Moved /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_direc tory/000/148/galaxy_dataset_332.dat to /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/files/000/dataset _332.dat galaxy.datatypes.metadata DEBUG 2013-02-19 19:35:31,924 Cleaning up external metadata files
Thanks
Thon ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/