[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] How does condor decide who the active user is?

I realize there is a lot of non-condor parts to this post, they are for background. Primarily I am trying to gain a more full understanding of what is going on when a job is submitted so I can hopefully get closer to a solution to my problem.

I have a problem on my cluster. Authentication to my condor cluster is a combination of Globus what is called Role based authentication. Job submission is via condor-g (usually). Depending on you credentials (x509) and your role you get mapped to a particular user who then submits the job to the cluster. The same x509 cert can have different roles if they are allowed.

The problem I am having is that I recently started getting errors in SchedLog like

SetAttribute security violation: setting owner to "cmst2admin" when active owner is "uscms001"

Shortly after this error the job halts on the submitting host and everything shuts down as far as the condor schedd host. Of course what is frustrating is that things used to work perfectly. then something unknown change and now I get this error.

I turned on more verbose logging in condor but it did not really tell me a lot more than the above line. As far as I can when the job request comes in over globus it is getting the right userid assigned to it (cmst2admin). However at some point condor decides that the active owner is uscms001. Now uscms001 is one of the two rolls for this one users X509, and could be considered the default roll. I am not sure though at what point uscms001 is getting picked up. So I wanted to ask if anyone knows how condor decides on the active user and where I might be able to look for more detail on what is exactly going on here. It is especially a problem since everything happens very quickly and the job essentially shuts down. So aside from logs there is precious little evidence.

Oh and job submission works, if you do not try to use the more fancy rolls but only use that default roll. That is the user that maps to cmst2admin role can also map to cmsuser role which makes him run as user uscms001. Then everything works fine.

Thanks for any suggestions,