Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] job submssion fails with SSL in 6.8.4
- Date: Tue, 10 Apr 2007 12:01:50 +0100
- From: "Smith, Ian" <I.C.Smith@xxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] job submssion fails with SSL in 6.8.4
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Zachary Miller
> Sent: 05 April 2007 22:53
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] job submssion fails with SSL in 6.8.4
>
> > C:\>condor_submit host.sub
> >
> > Submitting job(s)
> > ERROR: Failed to set Owner="smithic" for job 5.0 (0)
> >
> > ERROR: Failed to queue job.
>
> first, let me apologize for the lack of documentation.
>
> the reason it is failing is because condor doesn't know that
> your ssl credentials should be the user 'smithic'. so what
> you need here is a way to map the subject of your SSL
> certificate to a particular user, in this case 'smithic'.
>
> to do this, you need to define CERTIFICATE_MAPFILE in your
> condor_config to point to a file that does the mappings. the
> file format is simple. one line is a rule. each rule has
> three columns:
> AUTHMETHOD REGEX USERNAME
>
> in your case, you'll want:
>
> SSL (.*) smithic
>
>
> the forthcoming 6.9.2 manual has some rudimentary
> documentation on this, which can be found here:
> http://www.cs.wisc.edu/condor/manual/v6.9.2/3_6Security.html#21555
>
>
> note that the above example will map all users to 'smithic'.
> you may need to have several rules if you want different
> users, or use a RegEx to extract the username from the
> certificate subject, if it is the same as in the password file.
>
>
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=zachskey zmiller
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=ianskey smithic
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=(.*) \1
>
>
> again, sorry for the lack of documentation... i am working on it.
> in the meantime, please feel free to ask more questions, as
> my answers will likely become the documentation. also, i
> dislike the name 'CERTIFICATE_MAPFILE' and was hoping to
> change it before this got officially released, so be prepared
> for all of this changing slightly in the future.
>
>
> cheers,
> -zach
>
Thanks for looking at this. I tried this and now I can submit a job
on the Win PC and get it to run on that machine. I'm confused as
to why the mapping is needed though - surely the certs are (in GSI
parlance) host certs not user ones. On the pool machines, Condor
jobs run under a special account of their own so presumably I map
all DNs onto that ? How do I tie a cert to a particular host ?
When I go to the manager/submit host and try to submit a job to the
Win PC it remains stuck in the idle state as before.
If I set up the mapfile on the manager it seems to disrupt the
production
service (which is what I was dreading would happen) - even though the
authentication is OPTIONAL ? When I submit a job I get
ERROR: Failed to set Owner="smithic" for job 124799.0 (13)
regards,
-ian.