Hello,
I continue to expand my new security model + HAD test flock by integrating additional nodes, including a Windows AP + execute machine.
For now, I find the setup instructions for Windows to be lacking in details and practical examples on how you can proceed towards a working solution when integrating an existing Linux
flock with IDTokens.
The things Iâve made so far, by following an older discussions Iâve found:
-
Copied /etc/condor/password.d/POOL from one of the test Linux machines to C:\condor\token.sk on the Windows machine.
-
Re-generated IDTokens for each of the CMs on the Windows machine.
-
Setup a file named 99-spc-execute-ap.config in C:\condor\config with the following content:
CONDOR_HOST = A
use security:get_htcondor_idtokens
DAEMON_LIST = MASTER, SCHEDD, STARTD
CENTRAL_MANAGER1 = A
CENTRAL_MANAGER2 = B
COLLECTOR_HOST = $(CENTRAL_MANAGER1),$(CENTRAL_MANAGER2)
The Windows machine connects to the test HAD flock and is able to receive and process jobs, with results returned to the Linux AP.
However, when attempting to submit jobs from the Windows machine, condor_submit fails, as expected, with:
ERROR: No credential stored for <user>
Correct this by running:
condor_store_cred add
But when running condor_store_cred add with:
Account: <user>
CredType: password
Enter password:
Operation failed.
Make sure your ALLOW_WRITE setting includes this host.
So far, in this base config:
> condor_config_val -v ALLOW_WRITE
# at: C:\condor\config\99-spc-execute-ap.config, line 2, use SECURITY:get_htcondor_idtokens+52
# raw: ALLOW_WRITE = condor@$(TRUST_DOMAIN)
And in C:\condor\log\SchedLog:
01/18/24 09:32:53 (pid:14176) PERMISSION DENIED to condor_pool@ from host <ip> for command 479 (STORE_CRED), access level WRITE: reason: WRITE authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: <ip>,host.docker.internal,
hostname size = 1, original ip address = <ip>
01/18/24 09:32:53 (pid:14176) DC_AUTHENTICATE: Command not authorized, done!
Iâve tested adding the following line to the custom configuration file:
ALLOW_WRITE = $(ALLOW_WRITE) *
However, the error message now changes to:
> condor_config_val -v ALLOW_WRITE
Account: <user>
CredType: password
Enter password:
Operation failed because it is not allowed
And now C:\condor\log\SchedLog contains instead:
01/18/24 09:42:01 (pid:15052) WARNING: store_cred() for user <user> attempted by user condor_pool, rejecting
Debug info for the command using -d flag is:
01/18/24 09:42:01 STORE_CRED: In mode 100 'add', user is "<user>"
Operation failed because it is not allowed
Iâve also tried condor_store_cred add -u <user> to no avail (same error as above).
The same operation works OK when falling back to the previous host based configuration on the main flock.
Any clue?
Thanks
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
|
<image001.png>
|
|
Fabrice BouyÃ
IT Specialist (Scientific Computing) - Fisheries, Aquaculture and Marine Ecosystems Division
SpÃcialiste des technologies de l'information (informatique scientifique) - Division pÃche, aquaculture et ÃcosystÃmes marin
Pacific Community | Communautà du Pacifique
CPS â B.P. D5 | 98848 Noumea, New Caledonia | NoumÃa, Nouvelle-CalÃdonie
Tel: (687) 26 20 00 | Ext: 31411 | Mob: (687) 77 91 25 | Fax: (687) 26 38 18
|
|
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
As part of our emissions reduction strategy, please only print this email if necessary
Dans le cadre de notre stratÃgie de rÃduction des Ãmissions, merci d'imprimer cet e-mail uniquement si nÃcessaire
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}