[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] User based authentication in Condor


I'm currently testing the user based authentication as I want to
replace our previous host based authentication. I'm facing some issues
(probably caused by my limited understanding about how to set this up
properly). I started with a single machine (central
manager/submit/execute host) as testbed for the new mechanism (Windows
Server 2003 R2). This is what I've done:

1. Inserted the following settings into the local config file:

# All users in our domain should be allowed to query the pool and submit jobs
ALLOW_READ            = *@<our_domain>/*.$(UID_DOMAIN)
ALLOW_WRITE           = *@<our_domain>/*.$(UID_DOMAIN)
# only I have admin and owner rights
ALLOW_ADMINISTRATOR   = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
ALLOW_CONFIG          = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
ALLOW_OWNER           = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)

2. Registered the shared secret using condor_store_cred -c add (worked OK)

3. Restarted Condor

Now, the daemons can't communicate with the master and in the master
log I can see:

06/03/11 17:13:04 Adding to resolved authorization table:
unauthenticated@unmapped/ DENY_DAEMON
06/03/11 17:13:04 PERMISSION DENIED to unauthenticated@unmapped from
host for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:,<our_machine_name>

Any idea what could cause this? I've read the section 3.6 of the
manual carefully and found domething about a "map file". Is it
necessary to somehow map the "unauthenticated@unmapped" to something
meaningful using the map file (To be honest I did not fully understand
what the map file does)?

Thanks for your help!