Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
Hello, I continue to expand my new security model + HAD test flock by integrating additional nodes, including a Windows AP + execute machine. For now, I find the setup instructions for Windows to be lacking in details and practical examples on how you can proceed towards a working solution when integrating an existing Linux flock with IDTokens. The things I’ve made so far, by following an older discussions I’ve found:
CONDOR_HOST = A use security:get_htcondor_idtokens DAEMON_LIST = MASTER, SCHEDD, STARTD CENTRAL_MANAGER1 = A CENTRAL_MANAGER2 = B COLLECTOR_HOST = $(CENTRAL_MANAGER1),$(CENTRAL_MANAGER2) The Windows machine connects to the test HAD flock and is able to receive and process jobs, with results returned to the Linux AP. However, when attempting to submit jobs from the Windows machine, condor_submit fails, as expected, with: ERROR: No credential stored for <user> Correct this by running: condor_store_cred add But when running condor_store_cred add with: Account: <user> CredType: password Enter password: Operation failed. Make sure your ALLOW_WRITE setting includes this host. So far, in this base config:
ALLOW_WRITE =
condor@xxxxxxxxxxxxxxxxxxxxxxxxx # at: C:\condor\config\99-spc-execute-ap.config, line 2, use SECURITY:get_htcondor_idtokens+52 # raw: ALLOW_WRITE = condor@$(TRUST_DOMAIN) And in C:\condor\log\SchedLog: 01/18/24 09:32:53 (pid:14176) PERMISSION DENIED to condor_pool@ from host <ip> for command 479 (STORE_CRED), access level WRITE: reason: WRITE authorization policy contains no matching ALLOW entry for this request;
identifiers used for this host: <ip>,host.docker.internal, hostname size = 1, original ip address = <ip> 01/18/24 09:32:53 (pid:14176) DC_AUTHENTICATE: Command not authorized, done! I’ve tested adding the following line to the custom configuration file: ALLOW_WRITE = $(ALLOW_WRITE) * However, the error message now changes to: > condor_config_val -v ALLOW_WRITE Account: <user> CredType: password Enter password: Operation failed because it is not allowed And now C:\condor\log\SchedLog contains instead: 01/18/24 09:42:01 (pid:15052) WARNING: store_cred() for user <user> attempted by user condor_pool, rejecting Debug info for the command using -d flag is: 01/18/24 09:42:01 STORE_CRED: In mode 100 'add', user is "<user>" Operation failed because it is not allowed I’ve also tried condor_store_cred add -u <user> to no avail (same error as above). The same operation works OK when falling back to the previous host based configuration on the main flock. Any clue? Thanks –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- As part of our emissions reduction strategy, please only print this email if necessary |
