[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] How does condor decide who the active user is?
- Date: Wed, 28 Sep 2005 16:30:22 -0700
- From: Terrence Martin <tmartin@xxxxxxxxxxxxxxxx>
- Subject: [Condor-users] How does condor decide who the active user is?
I realize there is a lot of non-condor parts to this post, they are for
background. Primarily I am trying to gain a more full understanding of
what is going on when a job is submitted so I can hopefully get closer
to a solution to my problem.
I have a problem on my cluster. Authentication to my condor cluster is a
combination of Globus what is called Role based authentication. Job
submission is via condor-g (usually). Depending on you credentials
(x509) and your role you get mapped to a particular user who then
submits the job to the cluster. The same x509 cert can have different
roles if they are allowed.
The problem I am having is that I recently started getting errors in
SetAttribute security violation: setting owner to "cmst2admin" when
active owner is "uscms001"
Shortly after this error the job halts on the submitting host and
everything shuts down as far as the condor schedd host. Of course what
is frustrating is that things used to work perfectly. then something
unknown change and now I get this error.
I turned on more verbose logging in condor but it did not really tell
me a lot more than the above line. As far as I can when the job request
comes in over globus it is getting the right userid assigned to it
(cmst2admin). However at some point condor decides that the active owner
is uscms001. Now uscms001 is one of the two rolls for this one users
X509, and could be considered the default roll. I am not sure though at
what point uscms001 is getting picked up. So I wanted to ask if anyone
knows how condor decides on the active user and where I might be able to
look for more detail on what is exactly going on here. It is especially
a problem since everything happens very quickly and the job essentially
shuts down. So aside from logs there is precious little evidence.
Oh and job submission works, if you do not try to use the more fancy
rolls but only use that default roll. That is the user that maps to
cmst2admin role can also map to cmsuser role which makes him run as user
uscms001. Then everything works fine.
Thanks for any suggestions,