[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Close to getting SOAP HTTPS working



Inline...

On Sep 25, 2006, at 6:33 PM, David E. Konerding wrote:

Hi,
I'm pretty close to getting SOAP HTTPS working.

Unfortunately the one bit of documentation on setting up the
CANONICAL_MAPFILE and USER_MAPFILE is
really too vague to help me debug my problem. Specifically, I can't
figure out how to adapt the examples in the Condor Week PPT
to my situation.

Here's my SOAP config:

NETWORK_INTERFACE = 131.243.2.15
CONDOR_HOST=oliver.lbl.gov
ENABLE_SOAP=TRUE
ENABLE_WEB_SERVER = TRUE
ALLOW_SOAP= */131.243.2.255
WEB_ROOT_DIR = /home/portnoy/dsd/Linux/condor/condor-6.8.1/lib/ webservice
ALLOW_WRITE=*
QUEUE_ALL_USERS_TRUSTED=TRUE ## this is required for people to submit
jobs via http
SCHEDD_DEBUG = D_FULLDEBUG
COLLECTOR_DEBUG = D_FULLDEBUG
SOAP_SSL_SERVER_KEYFILE = /var/condor/condor-6.8.1/private/key
SOAP_SSL_CA_DIR = /etc/condor/certificates
CERTIFICATE_MAPFILE = /etc/condor/canonical_map
USER_MAPFILE = /etc/condor/user_map
SEC_CANONICAL_MAPFILE = /etc/condor/canonical_map
SEC_USER_MAPFILE = /etc/condor/user_map
ENABLE_SOAP_SSL = TRUE

Now, I'm testing this using my Globus certificate, which has a subject:
DC=org, DC=doegrids, OU=People, CN=David E. Konerding 692119
and an extension, X509v3 Subject Alternative Name set to:
email:dekonerding@xxxxxxx


Whenever I try to make a request against the server (actually, not even
attempting a real request, just using curl):
% curl --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem
--capath /etc/grid-security/certificates https://oliver.lbl.gov:35103
I get:

Enter PEM pass phrase:
curl: (52) Empty reply from server

In the server logs I see:
9/25 16:18:54 SOAP SSL connection attempt from <131.243.2.15:60056>
succeeded
9/25 16:18:54 SOAP SSL connection from <131.243.2.15:60056>, X509
subject: /DC=org/DC=doegrids/OU=Peop
le/CN=David E. Konerding 692119
9/25 16:18:54 SOAP SSL connection rejected, no mapping in
CERTIFICATE_MAPFILE

So obviously it's getting as far as the authentication step. Now, the
trickiness comes in here:
I have no idea how to interpret the canonical mapfile format:
SSL .*emailAddress=(.*)@cs.wisc.edu.* \1

The canonical mapfile's format is three whitespace separated fields. The first field is the authentication type (I think only SSL is valid right now) the second field is a regular expression (we are using PCRE) that matches an incoming user (in the SSL case the cert's subject), and the third field is what the incoming user maps to. You can use the standard regular-expression substitution to extract information from the second field for use in the third.


For example, what field in the X509 cert does "emailAddress" correspond
to? What is the meaning of the regular expression "(.*)"
and the "\1"? The Condor Week PPT only has this to say:

It looks like your subject does not have an emailAddress component, so that RE will never match your cert. Some (many?) subject are similar to:

/C=US/ST=Wisconsin/L=Madison/O=UW-Madison/OU=Grad/CN=Matt/ emailAddress=matt@xxxxxxxxxxx


“SSL” is the authentication method, “.*emailAddress….*” is a pattern
to match against authenticated names, and “\1” is the canonical name,
in this case the username on the email in the principal
But that information is pretty vague. The (.*) and \1 syntax looks
suspicously like standard regular-expression match subsitution syntax, where
the first (.*) that gets matched in the RE can be referred to later by
using "\1".

You are exactly right.


Furthermore, any attempt I make to play with entries in the
canonical_mapfile doesn't actually do anything. I've thrown catch-alls
at it and always get the same failure message as above. I can't even
tell if condor_collector is re-parsing the canonical_mapfile after I
make changes through it, and
I don't want to restart condor every time I change the canonical mapfile.

It is possible that the files are not reparsed on reconfig, though they should be.


Can you guys at least suggest a simple canonical mapfile and user
mapfile that will work in the situation where the user name of the email
address is not the same as the principal (for example I am user 'dek'
but my email is dekonerding@xxxxxxx). Or a super-simple one that at
least ?

Here's what I've got that doesn't work:

oliver:/etc/condor # cat canonical_map
SSL .*email.*=(.*)@lbl.gov.* dek

oliver:/etc/condor # cat user_map
dek dek

How about, canonical_map: SSL .* dek

and, user_map: dek dek

That should map everyone coming in to you.

Or a canonical_map of: SSL "/DC=org/DC=doegrids/OU=People/CN=David E \. Konerding.*" dek

Let me know if this works...


matt