[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Access Problems



Hi,

We have a couple of computers running in a cluster on master machine with subdomain XXX.
We have a machine with subdomain YYY connected via a direct network on secondary network card, so there's an internal network between XXX and YYY machines.

The internal network between XXX and YYY is indicated in the /etc/hosts file as:
10.0.0.1 XXX.ucsc.edu XXX
and
10.0.0.2 YYY.ucsc.edu YYY
on their respective machines

We also have computers such as ZZZ, and etc which do not have internal network to XXX, the main pool machine.

All the machines are on ucsc.edu domain name, UID_DOMAIN, FILESYSTEM_DOMAIN are set to it.
the ALLOW READ and WRITE are set to *.ucsc.edu and 10.0.0.*

Machines like ZZZ and XXX can submit and run jobs fine, because they are allowed access.

My problem is with machine YYY which has an internal network setup with machine XXX.

What is happening is that YYY talks to XXX over internal network because of the hosts file, and machine XXX tries to authenticate machine YYY.
It first does a forward name resolution of YYY.ucsc.edu which turns out to be 10.0.0.2 because of the /etc/hosts file.
Then it does a reverse DNS lookup on YYY.ucsc.edu and returns an external IP address of that machine.
When comparing the 2 addresses, they obviously don't match because one IP is external, and the other is internal. This causes the following errors in the XXX's SchedLog log file when a condor_q -g command was used on YYY:
PERMISSION DENIED to unauthenticated@unmapped from host 128.114.###.YYY for command 1111 (QMGMT_READ_CMD), access level READ: reason: READ authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 128.114.###.YYY, hostname size = 0, original ip address = 128.114.###.YYY

Questions:
How do I make XXX work with YYY over the internal network?
Is there an option to modify reverse DNS lookup to resolve YYY to an internal IP address?
Is there an option to turn off reverse DNS lookup so that YYY is authenticated as either YYY.ucsc.edu or 10.0.0.2 instead of 128.114.###.YYY?

Thank you!

--
Andrey Kuznetsov <akuznet1@xxxxxxxx>