[Condor-users] Turning on GSI security

[Rod Walker <rodwalker@xxxxxxxxx>]

Hi,
I`m trying to turn on GSI authentication and authorization between 
condor_submit and the sched, and between daemons. On my way there, I`ve fallen 
at the first hurdle. The only way I can get permission denied from 
condor_submit is to set
DENY_WRITE = *

If I unset this and instead set
ALLOW_WRITE = pants@rubbish/rubbish
then I am authorized despite not being in ALLOW_WRITE. I understand that the 
host-based authorization is 'combined' with the user based so I tried
HOSTSALLOW_WRITE = *.noone

but this didn't help. I can`t fail the authorization.
Furthermore I see no indication that GSI is being used at all as the log with 
DENY_WRITE=* shows only
10/16 13:31:04 QMGT command failed: no WRITE permission for $MYIP

I`m using 6.8.1 and in the local config
SEC_DEFAULT_AUTHENTICATION_METHOD = GSI
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_ENCRYPTION             = REQUIRED
SEC_DEFAULT_INTEGRITY              = REQUIRED

I`ve also got GSI_DAEMON_* and GRIDMAP but I don`t think these are being used.

How do I turn on GSI security?

Cheers,
Rod.

--
Tel. +1 604 222 7667