[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] GSI gridmap fail on 7.6.6



Interesting!  That's a stealth feature which I (among others) had
requested years ago but had no idea that they were planning to put in,
or had put in.  Guess I'd better check the release notes better.

Steve




On Thu, 9 Feb 2012, Michael Thomas wrote:

After further investigation with strace, it turned out that the
grid-mapfile was being completely ignored.  condor 7.6.6 appears to
support the gsi-authz interface for user mappings while 7.4.1 did not.
Since we have an /etc/grid-security/gsi-authz.conf for glexec, condor
would find that and skip our grid-mapfile.

By setting and exporting GSI_AUTHZ_CONF=/this/is/an/invalid/file in
/etc/sysconfig/condor, we can see that the grid-mapfile mapping now
takes place.

--Mike

On 02/09/2012 12:57 PM, Steven Timm wrote:
Looks like you are dealing with some kind of a DNS issue on a public vs.
private net.
You have ALLOW_DAEMON from hosts that have host names like
ultralight.org, which are in your gridmap file, but the IP's that you are
showing in the log file don't resolve to ultralight.org, or in
fact to anything at all.

You need to either also include the private net ip's of interest
in your ALLOW list, or use the NETWORK_INTERFACE setting to make
sure all the daemons you need are using the public ultralight.org ip.

Steve Timm


On Thu, 9 Feb 2012, Steven Lo wrote:


Hi,

We are in the process of testing Condor version 7.6.6 with our existing
version 7.4.1.  If all go well, we will upgrade all to 7.6.6.

We are having problem with the GSI authentication part.  Looks like
the gridmap lookup of the host certificate in the gridmap is not
working properly.

The following is part of the MasterLog:

02/09/12 09:17:50 This process has a valid certificate & key
02/09/12 09:17:50 Adding to resolved authorization table:
gsi@unmapped/10.3.255.107: DENY_DAEMON
02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:
10.3.255.107,compute-10-33.local,compute-10-33
02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: cached result for DAEMON; see first case for the full reason


The following is part of the StartLog:

02/09/12 09:20:23 PERMISSION DENIED to gsi@unmapped from host
10.3.255.168 for command 442 (REQUEST_CLAIM), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:
10.3.255.168,gatekeeper-13-12.local


The following is security section of the condor_config file:

SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = GSI
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSISEC_DAEMON_AUTHENTICATION =
REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = GSI
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSI

ALLOW_DAEMON = *@ultralight.org/*.ultralight.org
ALLOW_NEGOTIATOR = *@ultralight.org/*.ultralight.org

GSI_DAEMON_DIRECTORY      = /etc/grid-security
GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/condorcert.pem
GSI_DAEMON_KEY            = $(GSI_DAEMON_DIRECTORY)/condorkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
#GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_NEGOTIATOR_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_DAEMON_NAME           =
/DC=org/DC=doegrids/OU=Services/CN=compute-10-33.ultralight.org,/DC=org/DC=doegrids/OU=Services/CN=compute-13-1.ultralight.org

GRIDMAP                   = /etc/grid-security/grid-mapfile


The following is the certificate subject for the test host:

Subject: DC=org, DC=doegrids, OU=Services,
CN=compute-10-33.ultralight.org



We've also attached the MasterLog.debug file and the grid-mapfile.


Thanks in advance for your help.

Steven Lo
 Caltech CMS Tier2 Administrator




------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/


------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.