Re: [Condor-users] GSI authentication succeeds but authorization fails

[Scott Koranda <skoranda@xxxxxxxxxxxxxxxxxxxx>]

> Thanks. I got over the conceptual hurdle that I have to map my
> cert DN to a Condor user ID and not a UNIX ID.
> 
> Next question: Do I have to also map the certificate that is
> being used by the daemons to a Condor user ID in order for the
> daemons to talk amongst themselves? 
> 
> More specifically, do I have to map
> 
> "/DC=org/DC=doegrids/OU=Services/CN=ldg-portal.phys.uwm.edu" condor@xxxxxxxxxxxx
> 
> Recall that I have
> 
> SEC_DEFAULT_NEGOTIATION = REQUIRED
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> SEC_DEFAULT_AUTHENTICATION_METHODS = GSI
> GSI_DAEMON_CERT =           /etc/grid-security/hostcert.pem
> GSI_DAEMON_KEY  =           /etc/grid-security/hostkey.pem
> GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
> GSI_DAEMON_NAME = /DC=org/DC=doegrids/OU=Services/CN=ldg-portal.phys.uwm.edu
> GRIDMAP = /etc/grid-security/grid-mapfile.condor
> SEC_DEFAULT_INTEGRITY = REQUIRED
> SEC_DEFAULT_ENCRYPTION = REQUIRED
> SEC_DEFAULT_CRYPTO_METHODS = 3DES, BLOWFISH
> 
> And now I have added
> 
> ## Only the condor user has administrator, config, and owner
> ## authorization
> ALLOW_ADMINISTRATOR = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> ALLOW_CONFIG = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> ALLOW_OWNER = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> 
> ## Only the Condor user has negotiator authorization
> ALLOW_NEGOTIATOR = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> 
> I ask because although I can run condor_status using my GSI
> proxy credential, it returns empty and my submitted jobs are
> not running (with START=True). So I suspect Condor is unhappy
> at the daemon level.
> 

Well certainly I needed to add
condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu to the ALLOW_READ
and ALLOW_WRITE.

Having done that my jobs ran.

Thanks,

Scott