Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] 'Could not create new cluster' when using SOAP SSL w/o QUEUE_ALL_USERS_TRUSTED
- Date: Tue, 26 Sep 2006 15:08:01 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [Condor-users] 'Could not create new cluster' when using SOAP SSL w/o QUEUE_ALL_USERS_TRUSTED
At 02:51 PM 9/26/2006, David E. Konerding wrote:
Hi,
I am proceeding to truly secure, authenticated web service job
submission to Condor.
The latest snag I've hit is this. I am trying to submit a job with
SOAP/SSL enabled. I have authenticated
with the web service using my client certificate. However, even though
I have SOAP/SSL enabled,
if I have QUEUE_ALL_USERS_TRUSTED=False, I get 'Could not create new
cluster'.
when I try to create a new cluster.
From my reading of Erik Paulson's message:
> If set to True, then unauthenticated users are
> allowed to write to the queue, and also we always trust whatever the
> Owner value is set to be by the client in the job ad.
it seems that since I'm coming in as an authenticated user, I should be
able to create a new cluster
without this variable set to True.
My config includes:
NETWORK_INTERFACE = 131.243.2.15
CONDOR_HOST=oliver.lbl.gov
ENABLE_SOAP=TRUE
ENABLE_WEB_SERVER = TRUE
ALLOW_SOAP= */131.243.2.255
WEB_ROOT_DIR = /home/portnoy/dsd/Linux/condor/condor-6.8.1/lib/webservice
ALLOW_WRITE=* ## this needs to be tightened
So it works when
Your setting for ALLOW_WRITE looks fishy to me.
a) it should be <user@uid>/<host>, so
ALLOW_WRITE = */*
looks better to me, although just a * should work ok.
b) I don't think condor_config will safely allow comments at the end
of the line. That
may be messing up your setting of ALLOW_WRITE which could be the source
of your pain. I think you need to start your comment on a new line.
Other than that, the above looks ok.
So it all works when QUEUE_ALL_USERS_TRUSTED = TRUE ?
And yes, you are correct, if you use a client side SSL cert then
QUEUE_ALL_USERS_TRUSTED can/should be FALSE.
What are the error messages in (a) the schedd log file, and/or (b)
the SOAP exception sent back to your client?
Hope this helps,
Todd
#QUEUE_ALL_USERS_TRUSTED=TRUE ## this is required for people to submit
jobs via http but not https
COLLECTOR_SOAP_SSL_PORT=9619
SOAP_SSL_SERVER_KEYFILE = /var/condor/condor-6.8.1/private/key
SOAP_SSL_CA_DIR = /etc/condor/certificates
## condor-6.8.1 misnamed these two files
CERTIFICATE_MAPFILE = /etc/condor/canonical_map
USER_MAPFILE = /etc/condor/user_map
SEC_CANONICAL_MAPFILE = /etc/condor/canonical_map
SEC_USER_MAPFILE = /etc/condor/user_map
ENABLE_SOAP_SSL = TRUE
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users
The archives can be found at either
https://lists.cs.wisc.edu/archive/condor-users/
http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Todd Tannenbaum University of Wisconsin-Madison
Condor Project Research Department of Computer Sciences
tannenba@xxxxxxxxxxx 1210 W. Dayton St. Rm #4257
http://www.cs.wisc.edu/~tannenba Madison, WI 53706-1685
Phone: (608) 263-7132 FAX: (608) 262-9777