Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] idtoken capabilities for status queries?

Date: Fri, 5 Apr 2024 15:14:01 +0200
From: Thomas Hartmann <thomas.hartmann@xxxxxxx>
Subject: [HTCondor-users] idtoken capabilities for status queries?

Hi all,

to get rid of old habits, we have dropped now in our pre-productioncluster passwords etc. in favour of IDTOKENs only.

In principle, execution and access points can connect to the centralmanager [1]. However, I have not managed yet to identify the correcttoken capabilities and ALLOW_* to allow from each daemon to query thecluster status, i.e., to be able to run `condor_status` from each node.

The tokens I tried so far have the points' daemon flavor, masterannounce as well as read and advertise [1]. And the token identitieshave been added to the corresponding rule sets [2].


But still I am not able to query the central manager from a client

[root@batch1504 ~]# condor_status
Error: communication error

SECMAN:2010:Received "DENIED" from server for userexecutionpoint-grid@xxxxxxx using method IDTOKENS.

I toyed also with the client role assuming that a EP or AP would countas server(?) when querying the central manager (becoming a client??) -but also without success so far.

As side question: in a HA set up, is it sufficient to keep the signingkey the same on both central manager nodes - or would one has to synccreated tokens as well (I would assume that the fallback CM should beable to validate tokens created on the active CM with the symmetric key,or?)


Cheers and thanks for ideas,
  Thomas


[1]

> condor_token_create -identity accesspoint-condorce-grid@xxxxxxx-authz ADVERTISE_SCHEDD -authz ADVERTISE_MASTER -authz READ -authzADVERTISE -authz CLIENT -token accesspoint-condorce-grid


> condor_token_list
...

Header: {"alg":"HS256","kid":"POOL"} Payload:{"iat":1234,"iss":"desy.de","jti":"56789","scope":"condor:\/ADVERTISE_STARTDcondor:\/ADVERTISE_MASTER condor:\/READ condor:\/ADVERTISEcondor:\/CLIENT","sub":"executionpoint-grid@xxxxxxx"} File:/etc/condor/tokens.d/executionpoint-grid




[2]
ALLOW_ADMINISTRATOR = $(CONDOR_HOST), $(IP_ADDRESS)

ALLOW_ADVERTISE = *.desy.de executionpoint-grid@xxxxxxxaccesspoint-condorce-grid@xxxxxxx

ALLOW_CLIENT = *
ALLOW_CONFIG = batch*.desy.de grid*.desy.de

ALLOW_DAEMON = *.desy.de executionpoint-grid@xxxxxxxaccesspoint-condorce-grid@xxxxxxx

ALLOW_NEGOTIATOR = *.desy.de

ALLOW_READ = *.desy.de executionpoint-grid@xxxxxxxaccesspoint-condorce-grid@xxxxxxx

ALLOW_SUBMIT_FROM_KNOWN_USERS_ONLY = false
ALLOW_TRANSFER_REMAP_TO_MKDIR = true
ALLOW_WRITE = *.$(UID_DOMAIN)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [HTCondor-users] idtoken capabilities for status queries?
  - From: Jaime Frey

Prev by Date: [HTCondor-users] CPUs total for machines with Partitionable Slots?
Next by Date: Re: [HTCondor-users] python3-condor-23.7.0-0.724340.el8.x86_64 RPM problem
Previous by thread: Re: [HTCondor-users] CPUs total for machines with Partitionable Slots?
Next by thread: Re: [HTCondor-users] idtoken capabilities for status queries?
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[HTCondor-users] idtoken capabilities for status queries?