[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] hostallow_advertise



Jason,

Setting the "advertise" allow lists should only be necessary if HOSTALLOW_DAEMON doesn't allow access. HOSTALLOW_DAEMON defaults to HOSTALLOW_WRITE. From the denial reason specified in your log file, it appears that HOSTALLOW_ADVERTISE_STARTD or one of those other things that it defaults to is not set the way you expect.

If you add either D_FULLDEBUG or D_SECURITY to the debug options of hte daemon you are looking at, it will print out the authorization policy that it is using the first time it authorizes somebody. (Use condor_reconfig to force it to print it out again the next time it needs to authorize somebody.) This may help you see what is going on.

--Dan

Jason Reilly wrote:
Hi all,

Not really a problem anymore, but I was having issues with a local condor cluster I set up where I kept getting the following error in my Collector.log:

PERMISSION DENIED to unauthenticated user from host <ipaddressofcomputenode> for command 1 (UPDATE_STARTD_AD), access level ADVERTISE_STARTD: reason: ADVERTISE_STARTD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: <ipaddressofcomputenode>,<hostnameofcomputenode>


Despite all the configuration changes I made to HOSTALLOW_ADMINISTRATOR, HOSTALLOW_READ, or HOSTALLOW_WRITE, my compute nodes wouldn't successfully talk to my central manager's collector. I searched the documentation and found nothing worthwhile. On a hunch, I tried the following:

HOSTALLOW_ADVERTISE_STARTD = <subnet>

HOSTALLOW_ADVERTISE_SCHEDD = <subnet>

HOSTALLOW_ADVERTISE_MASTER = <subnet>

Adding these three HOSTALLOW's seemed to do the trick in allowing my compute nodes to talk to the central manager's collector. Did I miss this in the documentation or is it really just not documented anywhere? Do all deamon's require a similar HOSTALLOW?


Thanks,

Jason Reilly
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at: https://lists.cs.wisc.edu/archive/condor-users/