OK..I found a way to allow users to submit as a real users without using
CHOWN...
I did this by:
1) Tweaking the script external_chown_script.py by simply commenting out the
chown statements (see below)
2) Making sure the users are in the same group
3) Setting the umask to 0002 to make all files svcgalaxy produces writeable
by the same group (Dangerous, but I trust my users not to mess with the
files directly)
4) Add the script "scripts/external_chown_script.py" to the list of
allowable SUDO scripts, since that script will also be executed by sudo
(Sudo section now looks like this)
svcgalaxy ALL=(ALL) ALL
svcgalaxy ALL = (root) NOPASSWD: SETENV:
/mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/drmaa_external_runner.py
svcgalaxy ALL = (root) NOPASSWD: SETENV:
/mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/drmaa_external_killer.py
svcgalaxy ALL = (root) NOPASSWD: SETENV:
/mnt/ngs/analysis/svcgalaxy/galaxy-test/scripts/external_chown_script.py
5 (OPTIONAL) I even left the default setting for the
outputs_to_working_directory set to FALSE since I hate to lose the option to
be able to see the progress of a running job by clicking the eye icon to see
the log file fill up
Here's the tweak to external_chown_script.py...
def main():
path, galaxy_user_name, gid = validate_paramters()
#os.system('chown -Rh %s %s' %(galaxy_user_name, path))
#os.system('chgrp -Rh %s %s' %(gid, path))
I could have dispensed with the script completely ofcourse and simply have
main return 0, but this way I remember to someday find a better
solution.....
But for now I am saved and have a nice system that informs the users the
progress of their own jobs with qstat...
This may not work for everyone, but for a small group of trustworthy users,
this is a passable way to allow jobs to be submitted as real users..
Thon
-----Original Message-----
From: galaxy-dev-boun...@lists.bx.psu.edu
[mailto:galaxy-dev-boun...@lists.bx.psu.edu] On Behalf Of Thon de Boer
Sent: Thursday, February 21, 2013 11:08 PM
To: 'Nate Coraor'
Cc: 'Galaxy-dev Galaxy-dev'
Subject: Re: [galaxy-dev] Submitting jobs as a real user without using
chown, please
OK...I think I can make this work, since it is not that difficult to make a
directory world writeable...Or at least group writeable since all the users
that will be able to run galaxy are in the same group as svcgalaxy that runs
galaxy...I'll look at those scripts and see what they need to do...
Thanks
Thon
-----Original Message-----
From: Nate Coraor [mailto:n...@bx.psu.edu]
Sent: Thursday, February 21, 2013 5:56 AM
To: Anthonius deBoer
Cc: 'Galaxy-dev Galaxy-dev'
Subject: Re: [galaxy-dev] Submitting jobs as a real user without using
chown, please
On Feb 20, 2013, at 2:37 PM, Anthonius deBoer wrote:
> Ah...Found what root squashing is and yes, that is turned on our
> isilon
system...
>
> So out of luck I take it? We need to chown? we cannot fake the
> submission name in another way ;)
Galaxy must have a way to make the job working directory writable for the
user that the job is running as. If this means logging in to another system
via ssh that *does* have the ability to change ownership, then you can do
that. The method is completely customizable because you can set the chown
script to anything that works for you.
However, some means of doing this that is appropriate for your environment
has to exist for Galaxy to perform it. That said, you might be able to get
away with having the script make the working directory world-writeable
instead of owned by the real user.
--nate
>
> Thanks
>
> Thon
>
> On Feb 20, 2013, at 10:32 AM, Anthonius deBoer <thondeb...@me.com> wrote:
>
>> I cannot run chown even as a sudo command...Same error...
>> What is root squashing? I am reading on the internet that it is very
common not to allow users to change the ownership of files...
>>
>>
>> Thon
>> On Feb 20, 2013, at 05:52 AM, Nate Coraor <n...@bx.psu.edu> wrote:
>>
>>> On Feb 19, 2013, at 11:02 PM, Thon de Boer wrote:
>>>
>>> > Hi,
>>> >
>>> > I am trying to setup my galaxy system to allow jobs to be
>>> > submitted as the real user, since people want to keep an eye on
>>> > their job on the cluster sometimes and they have no ideas which
>>> > ones are theirs.
>>> >
>>> > I tried the approach on the wiki here:
>>> >
>>> > http://wiki.galaxyproject.org/Admin/Config/Performance/Cluster?hig
>>> > hlight=%28submit%29%7C%28jobs%29%7C%28as%29%7C%28user%29#Submittin
>>> > g_Jobs_as_the_Real_User
>>> >
>>> > but unfortunately, the CHOWN command is not allowed, not even as a
>>> > sudo user. Probably has to do with the fact that we run our
>>> > cluster from an isilon system, which I assume is pretty typical.
>>> >
>>> > The job was actually successfully submitted as the intended user,
>>> > so that part works, but if we can just get it to work without
>>> > having to rely on chown that would be awesome.
>>> >
>>> > Can someone point me in the right direction?
>>>
>>> Hi Thon,
>>>
>>> If you run the command from the command line, what results do you get?
>>>
>>> /usr/bin/sudo -E scripts/external_chown_script.py
>>> /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directo
>>> ry/000/148 svcgalaxy 10000
>>>
>>> Note that external_chown_script.py can be modified as necessary to
>>> allow
you to change ownership in whatever way is appropriate for your site. Since
it should just be an NFS mount, as long as root squashing is not enabled and
your svcgalaxy user has sudo permission to run this script, it should
succeed.
>>>
>>> --nate
>>>
>>> >
>>> > Here's the error.
>>> >
>>> > galaxy.jobs.runners.local DEBUG 2013-02-19 19:35:31,524 execution
>>> > of external set_meta for job 148 finished galaxy.jobs DEBUG
>>> > 2013-02-19 19:35:31,576 (148) Changing ownership of working
>>> > directory with: /usr/bin/sudo -E scripts/external_chown_script.py
/mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directory/000/1
48 svcgalaxy 10000 galaxy.jobs ERROR 2013-02-19 19:35:31,653 (148) Failed to
change ownership of
/mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_directory/000/1
48, failing Traceback (most recent call last):
>>> > File
>>> > "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__.
>>> > py", line 343, in finish
>>> > self.reclaim_ownership()
>>> > File
>>> > "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__.
>>> > py", line 916, in reclaim_ownership self._change_ownership(
>>> > self.galaxy_system_pwent[0], str( self.galaxy_system_pwent[3] ) )
>>> > File
>>> > "/mnt/ngs/analysis/svcgalaxy/galaxy-test/lib/galaxy/jobs/__init__.
>>> > py", line 902, in _change_ownership assert p.returncode == 0
>>> > AssertionError galaxy.jobs DEBUG 2013-02-19 19:35:31,722 fail():
>>> > Moved
>>> > /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/job_working_direc
>>> > tory/000/148/galaxy_dataset_332.dat to
>>> > /mnt/ngs/analysis/svcgalaxy/galaxy-test/database/files/000/dataset
>>> > _332.dat galaxy.datatypes.metadata DEBUG 2013-02-19 19:35:31,924
>>> > Cleaning up external metadata files
>>> >
>>> > Thanks
>>> >
>>> > Thon
>>> > ___________________________________________________________
>>> > Please keep all replies on the list by using "reply all"
>>> > in your mail client. To manage your subscriptions to this and
>>> > other Galaxy lists, please use the interface at:
>>> >
>>> > http://lists.bx.psu.edu/
>>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client. To manage your subscriptions to this and other
>> Galaxy lists, please use the interface at:
>>
>> http://lists.bx.psu.edu/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this and other Galaxy
lists, please use the interface at:
http://lists.bx.psu.edu/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
