Pilot Job Control Current modus operandi DNIgor CDFCAF

Pilot Job Control Current modus operandi DN=Igor CDFCAF DN=Amber DN=Mark 2 Gatekeeper/Batch Queue 1 4 (5) WN Amber’s job runs as DN=Igor GUMS 3 SAZ DN=Bob DN=Joe . . . WN Mark’s job runs as DN=Igor . . . GUMS – DN to local UID mapper SAZ – site DN authorization

Pilot Job Control Glexec modus operandi DN=Igor 1 4 CDFCAF DN=Amber DN=Mark DN=Bob DN=Joe . . . 2 Gatekeeper/Batch Queue 7 GUMS 3 5 WN glexec maps job to DN=Amber WN 6 SAZ glexec maps job to DN=Mark . . . GUMS – DN to local UID mapper SAZ – site DN authorization

Pilot Job Control We recognize that there is no feasible way to technically control the execution of pilot jobs - it is very easy for an end user to hide the execution of Pilot Jobs. ● ● The only way to control Pilot Jobs is with policy

Pilot Job Control “A Pilot Job is defined as a job where a Job Manager submits a job request to a grid batch system but the application that is executed on the Worker Nodes has been created by, and the input and output data is owned by, another user. “A Pilot Job must correctly map the executed application and the input and output data to the actual owner of the application. “Any job that is discovered to be a Pilot Job which does not correctly perform the appropriate user mapping using the Site supplied utility (i. e. , glexec) will be terminated immediately and the DN of the Job Manager will be placed on the Site Black List until the situation is rectified. ”

Pilot Job Control ● Some of you know that I’m a pilot. . .

Pilot Job Control ● There are two new pilots on the way!