[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds

Dear all,

I am currently trying to enable our university users to use an HTCondor cluster that is configured for the grid (via ARC CE). The goal is to
1) give local users access to the pool
2) provide fine-grained mapping (user -> AccountingGroup) and therefore quota

For this I had a look at the HTCondor documentation for password and kerberos authentication.
Password seems easy to set up, but since the local account authentication uses kerberos I wanted to try it first. For this I added [1] in the configuration and [2] on the submitting node as well as the scheduler/negotiator. The values inside '<>' are of course substituted in the actual configs.

However, after getting a kerberos ticket (kinit) I still can't authenticate to condor:
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using KERBEROS
AUTHENTICATE:1004:Failed to authenticate using PASSWORD
AUTHENTICATE:1004:Failed to authenticate using FS

Am I missing something or doing something wrong? What is the best way to debug this?

Secondly once the above works I would like to map individual users. Currently I use [4] to fill the AccountingGroup automatically.
For the university users I would like to end up with a structure like
physics.astro.<user a>
physics.particle.<user b>
One way to do it is to assign these users to groups like astro, particle, etc and assume the 'physics.' part if they don't have a certificate.
However, this is problematic as the primary group for all users is, and has to be for various reasons, "users". Therefore I am looking for an alternative way to make this mapping.
I had a look at the Unified Map File, but it does map users to a condor user name. Is there an easy way to create AcctGroup, AcctSubGroup?
Ideally I would have one file on the scheduler/negotiator with the content
# user_name AcctGroup AcctSubGroup
<user a> physics astro
<user b> physics particle
It is easy to make a script to parse the above, so probably the correct question is:
How do I make condor use script (let's say python) in an ifThenElse to fill a ClassAd in [4]?

Sorry for the long email and thank you in advance for any help.


# Authentication
SEC_PASSWORD_FILE = /etc/condor/pool_password
KERBEROS_MAP_FILE = /etc/condor/kerberos.map

cat /etc/condor/kerberos.map
<Kerberos realm> = <UID domain>

 default_realm = <Kerberos realm>
 dns_lookup_realm = true
 dns_lookup_kdc = true

 <Kerberos realm> = {
  kdc = <server>:88

 <Kerberos realm> = <Kerberos realm>
 .<Kerberos realm> = <Kerberos realm>

AcctSubGroup = \
ifThenElse(regexp("prd",Owner), "production",\
# This one is not useful for grid sites but is useful if you want to
# implement user based quotas:
# group_<name>.<subgroup>.<user name>
AcctGroup = strcat("group_", x509UserProxyVOName, ".",AcctSubGroup, ".", Owner)
# condor uses AcctGroup, but some monitoring scripts use AccountingGroup
# let's have both.
AccountingGroup = $(AcctGroup)
ConcurrencyLimits = strcat(AcctGroup, ",", AcctSubGroup, ",", Owner)
SUBMIT_EXPRS = $(SUBMIT_EXPRS) AcctGroup, AcctSubGroup, AccountingGroup, ConcurrencyLimits
  Dr Lukasz Kreczko            +44 (0)117 928 8724  
  CMS Group
  School of Physics
  University of Bristol