Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] GSI gridmap fail on 7.6.6
- Date: Thu, 09 Feb 2012 14:16:23 -0600
- From: Michael Thomas <thomas@xxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] GSI gridmap fail on 7.6.6
After further investigation with strace, it turned out that the
grid-mapfile was being completely ignored. condor 7.6.6 appears to
support the gsi-authz interface for user mappings while 7.4.1 did not.
Since we have an /etc/grid-security/gsi-authz.conf for glexec, condor
would find that and skip our grid-mapfile.
By setting and exporting GSI_AUTHZ_CONF=/this/is/an/invalid/file in
/etc/sysconfig/condor, we can see that the grid-mapfile mapping now
takes place.
--Mike
On 02/09/2012 12:57 PM, Steven Timm wrote:
> Looks like you are dealing with some kind of a DNS issue on a public vs.
> private net.
> You have ALLOW_DAEMON from hosts that have host names like
> ultralight.org, which are in your gridmap file, but the IP's that you are
> showing in the log file don't resolve to ultralight.org, or in
> fact to anything at all.
>
> You need to either also include the private net ip's of interest
> in your ALLOW list, or use the NETWORK_INTERFACE setting to make
> sure all the daemons you need are using the public ultralight.org ip.
>
> Steve Timm
>
>
> On Thu, 9 Feb 2012, Steven Lo wrote:
>
>>
>> Hi,
>>
>> We are in the process of testing Condor version 7.6.6 with our existing
>> version 7.4.1. If all go well, we will upgrade all to 7.6.6.
>>
>> We are having problem with the GSI authentication part. Looks like
>> the gridmap lookup of the host certificate in the gridmap is not
>> working properly.
>>
>> The following is part of the MasterLog:
>>
>> 02/09/12 09:17:50 This process has a valid certificate & key
>> 02/09/12 09:17:50 Adding to resolved authorization table:
>> gsi@unmapped/10.3.255.107: DENY_DAEMON
>> 02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
>> 10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
>> reason: DAEMON authorization policy contains no matching ALLOW entry
>> for this request; identifiers used for this host:
>> 10.3.255.107,compute-10-33.local,compute-10-33
>> 02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
>> 10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
>> reason: cached result for DAEMON; see first case for the full reason
>>
>>
>> The following is part of the StartLog:
>>
>> 02/09/12 09:20:23 PERMISSION DENIED to gsi@unmapped from host
>> 10.3.255.168 for command 442 (REQUEST_CLAIM), access level DAEMON:
>> reason: DAEMON authorization policy contains no matching ALLOW entry
>> for this request; identifiers used for this host:
>> 10.3.255.168,gatekeeper-13-12.local
>>
>>
>> The following is security section of the condor_config file:
>>
>> SEC_DAEMON_AUTHENTICATION = REQUIRED
>> SEC_DAEMON_INTEGRITY = REQUIRED
>> SEC_DAEMON_AUTHENTICATION_METHODS = GSI
>> SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
>> SEC_NEGOTIATOR_INTEGRITY = REQUIRED
>> SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSISEC_DAEMON_AUTHENTICATION =
>> REQUIRED
>> SEC_DAEMON_INTEGRITY = REQUIRED
>> SEC_DAEMON_AUTHENTICATION_METHODS = GSI
>> SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
>> SEC_NEGOTIATOR_INTEGRITY = REQUIRED
>> SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSI
>>
>> ALLOW_DAEMON = *@ultralight.org/*.ultralight.org
>> ALLOW_NEGOTIATOR = *@ultralight.org/*.ultralight.org
>>
>> GSI_DAEMON_DIRECTORY = /etc/grid-security
>> GSI_DAEMON_CERT = $(GSI_DAEMON_DIRECTORY)/condorcert.pem
>> GSI_DAEMON_KEY = $(GSI_DAEMON_DIRECTORY)/condorkey.pem
>> GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
>> #GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
>> GSI_NEGOTIATOR_TRUSTED_CA_DIR = /etc/grid-security/certificates
>> GSI_DAEMON_NAME =
>> /DC=org/DC=doegrids/OU=Services/CN=compute-10-33.ultralight.org,/DC=org/DC=doegrids/OU=Services/CN=compute-13-1.ultralight.org
>>
>> GRIDMAP = /etc/grid-security/grid-mapfile
>>
>>
>> The following is the certificate subject for the test host:
>>
>> Subject: DC=org, DC=doegrids, OU=Services,
>> CN=compute-10-33.ultralight.org
>>
>>
>>
>> We've also attached the MasterLog.debug file and the grid-mapfile.
>>
>>
>> Thanks in advance for your help.
>>
>> Steven Lo
>> Caltech CMS Tier2 Administrator
>>
>>
>>
>
> ------------------------------------------------------------------
> Steven C. Timm, Ph.D (630) 840-8525
> timm@xxxxxxxx http://home.fnal.gov/~timm/
> Fermilab Computing Division, Scientific Computing Facilities,
> Grid Facilities Department, FermiGrid Services Group, Group Leader.
> Lead of FermiCloud project.
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/