Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Condor 6.7.20 & BirdBath - java.rmi.RemoteException: Permission denied
- Date: Mon, 26 Jun 2006 15:48:35 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [Condor-users] Condor 6.7.20 & BirdBath - java.rmi.RemoteException: Permission denied
At 11:24 AM 6/26/2006, Matthew Farrellee wrote:
Rob,
It occurs to me that this specific permission check is actually
controlled by HOSTALLOW_READ/WRITE and ALLOW_READ/WRITE, not
ALLOW_SOAP, sorry. Are those set to allow write access from your IP?
In addition to setting ALLOW_WRITE correctly as Matt says above, are
you connecting via HTTPS (with an SSL client side cert to
authenticate), or are you connecting via HTTP ?
If you are connecting via HTTP, you should place
"QUEUE_ALL_USERS_TRUSTED=TRUE" into your condor_config (and do a
condor_reconfig) if you want things to work as before. The manual
entry for this setting is as follows:
QUEUE_ALL_USERS_TRUSTED.
Defaults to False. If set to True, then unauthenticated users are
allowed to write to the queue, and also we always trust whatever the
Owner value is set to be by the client in the job ad. This was added
so users can continue to use the SOAP web-services interface over HTTP
(w/o authenticating) to submit jobs in a secure, controlled environment
-- for instance, in a portal setting.
The situation is the queue manager code in the schedd really wants to
only allow authenticated users to write to the queue. In previous
versions of BirdBath, this was hacked around in the code because
previous versions of BirdBath had no choice --- the option to
authenticate to the queue did not exist. But now that web service
clients can authenticate (via SSL), it was decided to set up the
defaults in favor of a secure installation and require the admin to
go out of their way (by changing the above setting) in order to allow
unauthenticated access.
Hope this makes sense and helps with your problem,
regards,
Todd
p.s. the web service documentation in the Condor manual is scheduled
for overhaul/improvement Real Soon Now(tm) --- thanks for bearing with us.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Todd Tannenbaum University of Wisconsin-Madison
Condor Project Research Department of Computer Sciences
tannenba@xxxxxxxxxxx 1210 W. Dayton St. Rm #4257
http://www.cs.wisc.edu/~tannenba Madison, WI 53706-1685
Phone: (608) 263-7132 FAX: (608) 262-9777