[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] job submssion fails with SSL in 6.8.4


> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx 
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Zachary Miller
> Sent: 05 April 2007 22:53
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] job submssion fails with SSL in 6.8.4
> > C:\>condor_submit host.sub
> > 
> > Submitting job(s)
> > ERROR: Failed to set Owner="smithic" for job 5.0 (0)
> > 
> > ERROR: Failed to queue job.
> first, let me apologize for the lack of documentation.
> the reason it is failing is because condor doesn't know that 
> your ssl credentials should be the user 'smithic'.  so what 
> you need here is a way to map the subject of your SSL 
> certificate to a particular user, in this case 'smithic'.
> to do this, you need to define CERTIFICATE_MAPFILE in your 
> condor_config to point to a file that does the mappings.  the 
> file format is simple.  one line is a rule.  each rule has 
> three columns:
> in your case, you'll want:
> SSL  (.*)  smithic
> the forthcoming 6.9.2 manual has some rudimentary 
> documentation on this, which can be found here:
>   http://www.cs.wisc.edu/condor/manual/v6.9.2/3_6Security.html#21555
> note that the above example will map all users to 'smithic'.  
> you may need to have several rules if you want different 
> users, or use a RegEx to extract the username from the 
> certificate subject, if it is the same as in the password file.
> SSL   /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=zachskey  zmiller
> SSL   /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=ianskey   smithic
> SSL   /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=(.*)      \1
> again, sorry for the lack of documentation... i am working on it.
> in the meantime, please feel free to ask more questions, as 
> my answers will likely become the documentation.  also, i 
> dislike the name 'CERTIFICATE_MAPFILE' and was hoping to 
> change it before this got officially released, so be prepared 
> for all of this changing slightly in the future.
> cheers,
> -zach

Thanks for looking at this. I tried this and now I can submit a job
on the Win PC and get it to run on that machine. I'm confused as
to why the mapping is needed though - surely the certs are (in GSI
parlance) host certs not user ones. On the pool machines, Condor
jobs run under a special account of their own so presumably I map
all DNs onto that ? How do I tie a cert to a particular host ?

When I go to the manager/submit host and try to submit a job to the
Win PC it remains stuck in the idle state as before. 

If I set up the mapfile on the manager it seems to disrupt the
service (which is what I was dreading would happen) - even though the
authentication is OPTIONAL ?  When I submit a job I get

ERROR: Failed to set Owner="smithic" for job 124799.0 (13)