Re: [Condor-users] can't have ADMIN acces

["Frédéric Bastien" <nouiz@xxxxxxxxx>]

Hi,

Sorry to reply to myself, but I just understand that I should not mix
the new(user based) and the old(ip based) security setting for a
feature. So if I comment HOSTDENY_ADMINISTRATOR = *, my setup work.

I have one other question. Both condor_restart and condor_reconfig
need admin access. But this don't seem to be the case as if I have in
my config file:

#HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)
#HOSTDENY_ADMINISTRATOR = *
ALLOW_ADMINISTRATOR = test-user@xxxxxxxxxxxxxxxx/*.iro.umontreal.ca

test-user can use condor_restart and condor_reconfig and the log show
that it work.
Other used are denied access to condor_restart, but are allowed to do
condor_reconfig!
So this mean that condor_reconfig and condor_restart don't use the
same authorisation setting. But I think they use the same.

here is the log from condor_reconfig from user that should not be authorised

4/7 13:48:43 DC_AUTHENTICATE: Success.
4/7 13:48:43 IPVERIFY: matched with *.iro.umontreal.ca
4/7 13:48:43 IPVERIFY: hoststring: mona01
4/7 13:48:43 Reconfiguring all running daemons.
4/7 13:48:43 Sent SIGHUP to STARTD (pid 4981)

here is the log from condor_restart from user that should not be authorised

4/7 13:51:52 DC_AUTHENTICATE: Success.
4/7 13:51:52 DaemonCore: PERMISSION DENIED to lisa@xxxxxxxxxxxxxxxx
from host <132.204.26.124:58194> for command 453 (RESTART), access
level ADMINISTRATOR

Can someone confirm that condor_restart and condor_reconfig should use
the same authorisation setting of admin?

thanks

Frederic Bastien

On Mon, Apr 7, 2008 at 1:24 PM, Frédéric Bastien <nouiz@xxxxxxxxx> wrote:
> Hi,
>
>  thanks that helped me to get more debut information. The problem is
>  that I can't trust all user of one machine. So I set
>  "HOSTDENY_ADMINISTRATOR = *" in my config file. So my config look
>  like:
>
>  #HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)
>  HOSTDENY_ADMINISTRATOR = *
>  ALLOW_ADMINISTRATOR = *
>
>  What I need to to allow only one person and not a whole ip. Is this
>  possible? I was under the impression that it was.
>
>  What I would like minimally is at least to allow one user on the local
>  machine(me). Ideal, I would like to trust me from all computer on our
>  network or from the central manager so that I can use the admin
>  command globally. I thought that
>
>  ALLOW_ADMINISTRATOR = test-user@xxxxxxxxxxxxxxxx/*.iro.umontreal.ca
>
>  would do that, but it failed. So i tryed ALLOW_ADMINISTRATOR = *,
>  which also failed.
>
>  Any idea how this can be done?
>
>  thanks
>
>  Frederic Bastien
>
>
>
>  On Mon, Apr 7, 2008 at 12:48 PM, Dan Bradley <dan@xxxxxxxxxxxx> wrote:
>  >
>  >  Add D_SECURITY to your configuration setting for ALL_DEBUG and restart
>  >  condor.  Then try the same administrative command.  There should be
>  >  information in the log file about how condor is building up the
>  >  authorization table.  If it doesn't make sense to you, please send this
>  >  information to condor-admin@xxxxxxxxxxxx
>  >
>  >  --Dan
>  >
>  >
>  >
>  >  Frédéric Bastien wrote:
>  >
>  >  >Hi,
>  >  >
>  >  >I have a strange error with authentification. In my config file, I set
>  >  >
>  >  >ALLOW_ADMINISTRATOR = *
>  >  >
>  >  >But when I execute condor_restart I get a PERMISSION DENIED in the
>  >  >MasterLog file
>  >  >
>  >  >4/7 11:16:15 ZKM: setting default map to (null)
>  >  >4/7 11:16:21 ZKM: setting default map to test-user@xxxxxxxxxxxxxxxx
>  >  >4/7 11:16:21 DaemonCore: PERMISSION DENIED to
>  >  >test-user@xxxxxxxxxxxxxxxx from host <132.204.26.124:36061> for
>  >  >command 453 (RES
>  >  >TART), access level ADMINISTRATOR
>  >  >4/7 11:16:21 ZKM: setting default map to condor@xxxxxxxxxxxxxxxx
>  >  >
>  >  >The value of ALLOW_ADMINISTRATOR is correctly read as
>  >  >condor_config_val ALLOW_ADMINISTRATOR return:
>  >  >*
>  >  >
>  >  >Do you have any clue what can cause this? I use condor version 7.0.1
>  >  >
>  >  >Also, I don't want to ALLOW_ADMINISTRATOR = *, in the config file. I
>  >  >want to put my username. But they both fail.
>  >  >
>  >  >thanks for your time
>  >  >
>  >  >Frederic Bastien
>  >  >_______________________________________________
>  >  >Condor-users mailing list
>  >  >To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
>  >  >subject: Unsubscribe
>  >  >You can also unsubscribe by visiting
>  >  >https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>  >  >
>  >  >The archives can be found at:
>  >  >https://lists.cs.wisc.edu/archive/condor-users/
>  >  >
>  >  >
>  >  _______________________________________________
>  >  Condor-users mailing list
>  >  To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
>  >  subject: Unsubscribe
>  >  You can also unsubscribe by visiting
>  >  https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>  >
>  >  The archives can be found at:
>  >  https://lists.cs.wisc.edu/archive/condor-users/
>  >
>