Closed rupertnash closed 6 years ago
matthchr
commented
6 years ago @rupertnash sorry for the slow response on this -- do you mean that you want the ability to specify a different account for the coordination commandline and the normal commandline?
If all you want is to control both, you can use CloudTask.UserIdentity to do it. See the documentation here for C#
rupertnash
commented
6 years ago @matthchr - sorry Matt, I'm afraid I don't follow (possibly as I've never used C#) how that allows me to set the coordination command to run as a different user.
AFAIK, you set the multi-instance settings on an instance of azure.batch.models.MultiInstanceSettings - allowed attributes are: coordination_command_line, number_of_instances, common_resource_files (note nothing about which user account to use).
Then you give this to the multi_instance_settings attribute of your azure.batch.models.TaskAddParameter, along with a suitable user_identity object.
For now I am just running my tasks an administrator and prefacing the task's command line with sudo -u _azbatch, which is pretty disgusting.
matthchr
commented
6 years ago Hey @rupertnash - Sorry, I didn't realize you were using Python (I would've given snippets in that language if I had).
In Python, to configure the user the task runs under, you need to set:
azure.batch.models.TaskAddParameter.user_identity - you can read more about this parameter on readthedocs.
So basically you would set both the multi_instance_settings attribute of TaskAddParameter and the user_identity attribute as well. user_identity applies to the whole task and will run both the multi_instance_settings.coordination_command_line and the command_line in the user you request (or if you don't want to name a user/etc you can use an AutoUser which basically means we generate a user for you but with the criteria you specify.
rupertnash
commented
6 years ago Hi Matt,
So basically you would set both the multi_instance_settings attribute of TaskAddParameter and the user_identity attribute as well. user_identity applies to the whole task and will run both the multi_instance_settings.coordination_command_line and the command_line in the user you request (or if you don't want to name a user/etc you can use an AutoUser which basically means we generate a user for you but with the criteria you specify.
Yes, this is what I said. I'm well aware that Batch will run both commands as the user specified - this is my problem.
I want to run my task as the default non-privileged user (_azbatch ) and the coordination command as a user with admin rights. The reason is that I have a trusted coordination command (necessary to arrange the shared filesystem) and an untrusted user command.
matthchr
commented
6 years ago I see - in that case we don't currently support that scenario other than by having you manually sudo like you're doing in the coordination command.
I'll ask around and see if we have any plans to implement this and get back to you.
matthchr
commented
6 years ago I've moved this issue to https://github.com/Azure/Batch/issues/12.
Currently one cannot specify any details of the user account used to execute the coordination command. It would be very useful to allow this to be set to an administrator account for configuring system services (e.g. a shared filesystem for the task)
Current work around is adding a script and making it setuid root with a pool start task, but that's horrible.