Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] Latest attempts at SOAP SSL w/ tight config
- Date: Tue, 26 Sep 2006 13:34:33 -0700
- From: "David E. Konerding" <dekonerding@xxxxxxx>
- Subject: [Condor-users] Latest attempts at SOAP SSL w/ tight config
OK.
Thanks for clarifying some of the problems I was having with restrictive
permissions on SOAP SSL.
I adjusted HOSTALLOW_WRITE to correspond to ALLOW_WRITE and removed
comments at the end of config variable lines.
Here's what I am seeing:
## Too loose (anybody can connect)
ALLOW_WRITE=*
HOSTALLOW_WRITE = *
QUEUE_ALL_USERS_TRUSTED=TRUE
Client side: works OK
Server side:
9/26 13:28:32 SOAP entered beginTransaction(), transaction: 0
9/26 13:28:32 SOAP leaving beginTransaction() result=0
9/26 13:28:32 SOAP entered newCluster(), transaction: 428699648
9/26 13:28:32 SOAP leaving newCluster() result=0
9/26 13:28:32 SOAP entered newJob(), transaction: 428699648
9/26 13:28:32 SOAP leaving newJob() result=0
## Too loose (trusts all users)
ALLOW_WRITE=*/131.243.2.0/32
HOSTALLOW_WRITE = 131.243.2.*
QUEUE_ALL_USERS_TRUSTED=TRUE
Client side: works
Server side:
9/26 13:29:37 SOAP entered beginTransaction(), transaction: 0
9/26 13:29:37 SOAP leaving beginTransaction() result=0
9/26 13:29:37 SOAP entered newCluster(), transaction: 428716288
9/26 13:29:37 SOAP leaving newCluster() result=0
9/26 13:29:37 SOAP entered newJob(), transaction: 428716288
9/26 13:29:37 SOAP leaving newJob() result=0
#This combo fails (anonymous user not permitted)
ALLOW_WRITE=*/131.243.2.0/32
HOSTALLOW_WRITE = 131.243.2.*
QUEUE_ALL_USERS_TRUSTED=FALSE
Client side: doesn't work
Server side error:
9/26 13:31:11 Received HTTP POST connection from <131.243.2.15:44794>
9/26 13:31:11 SOAP entered beginTransaction(), transaction: 0
9/26 13:31:11 SOAP leaving beginTransaction() result=0
9/26 13:31:11 SOAP entered newCluster(), transaction: 428740352
9/26 13:31:11 QMGT command failed: anonymous user not permitted
9/26 13:31:11 NewCluser(): OwnerCheck failed
9/26 13:31:11 SOAP leaving newCluster() result=1
9/26 13:31:11 Completed servicing HTTP request
This does seem to be a problem, because the collector log said we
authenticated as a user, not an anonymous:
9/26 13:31:11 SOAP SSL connection attempt from <131.243.2.15:50097>
succeeded
9/26 13:31:11 SOAP SSL connection from <131.243.2.15:50097>, X509
subject: /DC=org/DC=doegrids/OU=People/CN=David E. Konerding 692119
9/26 13:31:11 SOAP SSL connection subject mapped to 'dek'