Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] GSI authentication succeeds but authorization fails
- Date: Tue, 25 Sep 2007 14:09:20 -0500
- From: Scott Koranda <skoranda@xxxxxxxxxxxxxxxxxxxx>
- Subject: [Condor-users] GSI authentication succeeds but authorization fails
Hi,
I am using version 6.9.4 of Condor.
If I have this in my condor_config
SEC_DEFAULT_NEGOTIATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = GSI
GSI_DAEMON_CERT = /etc/grid-security/hostcert.pem
GSI_DAEMON_KEY = /etc/grid-security/hostkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_DAEMON_NAME = /DC=org/DC=doegrids/OU=Services/CN=ldg-portal.phys.uwm.edu
GRIDMAP = /etc/grid-security/grid-mapfile.condor
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_CRYPTO_METHODS = 3DES, BLOWFISH
ALLOW_READ = */ldg-portal.phys.uwm.edu
ALLOW_WRITE = */ldg-portal.phys.uwm.edu
ALLOW_ADMINISTRATOR = root@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_CONFIG = root@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_OWNER = root@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_NEGOTIATOR = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
and then I come into the machine ldg-portal.phys.uwm.edu with
a valid GSI proxy credential I am able to run condor_q:
[skoranda@ldg-portal ~]$ grid-proxy-info
subject : /DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488/CN=778514976/CN=1019116235
issuer : /DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488/CN=778514976
identity : /DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488
type : Proxy draft (pre-RFC) compliant impersonation proxy
strength : 512 bits
path : /tmp/x509up_p19798.fileMgBptX.1
timeleft : 121:36:32 (5.0 days)
[skoranda@ldg-portal ~]$ /opt/condor/bin/condor_q
-- Submitter: ldg-portal.phys.uwm.edu : <129.89.61.100:57834>
: ldg-portal.phys.uwm.edu
ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD
0 jobs; 0 idle, 0 running, 0 held
I see this in the SchedLog:
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "GSI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
AuthMethods = "GSI"
Subsystem = "TOOL"
ServerPid = 20236
RemoteVersion = "$CondorVersion: 6.9.4 Aug 30 2007 $"
User = "skoranda@xxxxxxxxxxxxxxxxxxxxxxx"
Sid = "ldg-portal:20223:1190746445:1"
ValidCommands = "60007,60011,1111,457,471"
9/25 13:54:05 (fd:13) (pid:20223) DC_AUTHENTICATE: setting sock->decode()
9/25 13:54:05 (fd:13) (pid:20223) DC_AUTHENTICATE: allowing an empty message for sock.
9/25 13:54:05 (fd:13) (pid:20223) DC_AUTHENTICATE: Success.
9/25 13:54:05 (fd:13) (pid:20223) DaemonCore: Command received via TCP from skoranda@xxxxxxxxxxxxxxxxxxxxxxx from host <129.89.61.100:59721>
9/25 13:54:05 (fd:13) (pid:20223) DaemonCore: received command 1111 (QMGMT_CMD), calling handler (handle_q)
That this all works leads me to believe that I have GSI
authentication properly configured. Am I correct?
Note that
[root@ldg-portal log]# cat /etc/grid-security/grid-mapfile.condor
"/DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488" skoranda
When, however, I try to tighten up the authorization by
setting
ALLOW_READ = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_WRITE = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
then I as a user with the same GSI proxy credential am not
authorized:
[skoranda@ldg-portal ~]$ /opt/condor/bin/condor_q
-- Failed to fetch ads from: <129.89.61.100:44342> :
ldg-portal.phys.uwm.edu
In the SchedLog I see
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "GSI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
AuthMethods = "GSI"
Subsystem = "TOOL"
ServerPid = 20265
RemoteVersion = "$CondorVersion: 6.9.4 Aug 30 2007 $"
User = "skoranda@xxxxxxxxxxxxxxxxxxxxxxx"
Sid = "ldg-portal:20251:1190746878:0"
ValidCommands = "60007,60011,1111,457,471"
9/25 14:01:18 (fd:13) (pid:20251) DC_AUTHENTICATE: setting sock->decode()
9/25 14:01:18 (fd:13) (pid:20251) DC_AUTHENTICATE: allowing an empty message for sock.
9/25 14:01:18 (fd:13) (pid:20251) DC_AUTHENTICATE: Success.
9/25 14:01:18 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:18 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:19 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:19 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:20 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:20 (fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu
9/25 14:01:20 (fd:13) (pid:20251) DaemonCore: PERMISSION DENIED to skoranda@xxxxxxxxxxxxxxxxxxxxxxx from host <129.89.61.100:42079> for command 1111 (QMGMT_CMD)
9/25 14:01:20 (fd:13) (pid:20251) CLOSE <129.89.61.100:44342> fd=12
Why am I not authorized?
Thanks,
Scott