[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authentication using IDTokens



Todd

 

Copying the file from tokens.d worked like a charm. Thanks a bunch

 

P

 

 

Peter Ellevseth 

Principal Advisor / Principal Advisor

+47 93 43 56 01 / +47 73 90 05 00

 peter.ellevseth@xxxxxxxxxx

 safetec.no

 

 

From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Sent: Monday, April 24, 2023 11:33 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Peter Ellevseth <Peter.Ellevseth@xxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication using IDTokens

 

On 4/24/2023 4:56 AM, Peter Ellevseth wrote:

Hi all

 

Struggling with IDTokens. I have a new execute machine to add to my cluster. The new machine is not able to authenticate properly. The only config I have on it is a fil in config.d with CONDOR_HOST = … and ‘use rolef:get_htcondor_execute’

 

I already have another machine in my pool with the same config, which is working just fine. All config seems to be identical between the two, but still no authentication. The only difference I have seen is that the new machine is version 10.4 and the old is 10.3. My host is 10.4.

 

On the MasterLog of the new machine I keep seeing:

04/24/23 11:53:32 Token requested not yet approved; please ask collector [HOST] admin to approve request ID 4256417.

 

I can the go to my host and approve this, but that only generates another question with a new ID.

 

I tried using the auto_approve on my HOST, but then I only get this messages instead:

04/24/23 11:09:43 PERMISSION DENIED to condor@[new execute machine] from host xxx for command 13 (INVALIDATE_STARTD_ADS), access level ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first case for the full reason

 

Any ideas?

 


Hi Peter,

Thank you for sending along the HTCondor version info;  sending along your operating system would also help (Windows? Linux distro? Mac?).  I will guess you are using Linux.

On the Execute Point (EP, i.e. the execute machine) where everything works,  run the following command as user root:

    # condor_token_list

and compare that to the output of condor_token_list as root in the new EP machine that does not work.

Perhaps the working machine has a valid token file sitting in /etc/condor/tokens.d, and the non-working machine does not?  Depending on how you set things up, you could copy the token file from your working EP to your non-working EP.  Be careful to keep the file ownership and permissions the same.

If have setup your pool using get_htcondor (recommended - it deals with all the security config), you should be able to add a new EP by just running get_htcondor on the EP and giving it the same password you used when setting up your pool initially.   See the Admin Quick Start at:
  https://htcondor.readthedocs.io/en/latest/getting-htcondor/admin-quick-start.html

Finally, if you wish to see a 20min tutorial on IDTOKENS (including how to use them to secure your pool) recorded from HTCondor Week 2022, see:
  https://www.youtube.com/watch?v=8fh6SLavDi8

Hope the above helps,
Todd