Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authentication issue

Date: Mon, 15 Sep 2014 08:08:12 -0500
From: Zachary Miller <zmiller@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication issue

On Mon, Sep 15, 2014 at 01:55:32PM +0200, Pek Daniel wrote:
> > First question: During "normal operation" (i.e. before a restart) do
> > you see this in the log at all?  If you run "condor_status -collector"
> > do you see an ad for the Collector?
> >
> 
> No, only once after restarting condor. No, there's no collector ad in the
> output.

Cool, that's what I expected.


> I don't know if it helps, I tried to set ALLOW_CLIENT = * (of course, it's
> not an acceptable policy, just out of curiousity, before it was:
> ALLOW_CLIENT = *@$(UID_DOMAIN)/*.$(DEFAULT_DOMAIN_NAME), then the collector
> ad is there, and I got this in the CollectorLog:
> 
> 09/15/14 13:43:14 SECMAN: command 19 UPDATE_COLLECTOR_AD to collector X.Y.Z
> from UDP port 55406 (blocking, raw).
> 09/15/14 13:43:14 DC_AUTHENTICATE: received UDP packet from <a.b.c.d:55406>.
> 09/15/14 13:43:14 DaemonCore received UNAUTHENTICATED command 19
> UPDATE_COLLECTOR_AD.
> 09/15/14 13:43:14 PERMISSION GRANTED to unauthenticated user from host
> a.b.c.d for command 19 (UPDATE_COLLECTOR_AD), access level ALLOW: reason:
> 09/15/14 13:43:14 Received UDP command 19 (UPDATE_COLLECTOR_AD) from
>  <a.b.c.d:55406>, access level ALLOW
> 09/15/14 13:43:14 Calling HandleReq <receive_update> (0) for command 19
> (UPDATE_COLLECTOR_AD) from unauthenticated@unmapped <a.b.c.d:55406>
> 09/15/14 13:43:14 CollectorAd  : Inserting ** "< name@xxxxx >"
> 09/15/14 13:43:14 stats: Inserting new hashent for 'Collector':'name@xxxxx
> ':'a.b.c.d'
> 09/15/14 13:43:14 Return from HandleReq <receive_update> (handler: 0.000s,
> sec: 0.000s, payload: 0.000s)

Also to be expected.  In this case, the message is misleading.  The UDP packet
is not UNAUTHENTICATED as it claims... it is using an internal secret known
only to the Collector process.  It seems in doing so, though, it's not properly
filling in the canonical name, and without code changes I don't believe there
is a way to specify this in the CERTIFICATE_MAPFILE.  Hence, the authorization
fails.

Thanks for the data points.  Again, I'll investigate a little further and get
back to you with more details.


Cheers,
-zach

References:
- [HTCondor-users] Authentication issue
  - From: Pek Daniel
- Re: [HTCondor-users] Authentication issue
  - From: Zachary Miller
- Re: [HTCondor-users] Authentication issue
  - From: Pek Daniel

Prev by Date: Re: [HTCondor-users] Authentication issue
Next by Date: Re: [HTCondor-users] How to transfer output file back into submission dir.
Previous by thread: Re: [HTCondor-users] Authentication issue
Next by thread: [HTCondor-users] Increasing maxpre for a running DAG
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Authentication issue