[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Authentication issue
- Date: Mon, 15 Sep 2014 08:08:12 -0500
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Authentication issue
On Mon, Sep 15, 2014 at 01:55:32PM +0200, Pek Daniel wrote:
> > First question: During "normal operation" (i.e. before a restart) do
> > you see this in the log at all? If you run "condor_status -collector"
> > do you see an ad for the Collector?
> No, only once after restarting condor. No, there's no collector ad in the
Cool, that's what I expected.
> I don't know if it helps, I tried to set ALLOW_CLIENT = * (of course, it's
> not an acceptable policy, just out of curiousity, before it was:
> ALLOW_CLIENT = *@$(UID_DOMAIN)/*.$(DEFAULT_DOMAIN_NAME), then the collector
> ad is there, and I got this in the CollectorLog:
> 09/15/14 13:43:14 SECMAN: command 19 UPDATE_COLLECTOR_AD to collector X.Y.Z
> from UDP port 55406 (blocking, raw).
> 09/15/14 13:43:14 DC_AUTHENTICATE: received UDP packet from <a.b.c.d:55406>.
> 09/15/14 13:43:14 DaemonCore received UNAUTHENTICATED command 19
> 09/15/14 13:43:14 PERMISSION GRANTED to unauthenticated user from host
> a.b.c.d for command 19 (UPDATE_COLLECTOR_AD), access level ALLOW: reason:
> 09/15/14 13:43:14 Received UDP command 19 (UPDATE_COLLECTOR_AD) from
> <a.b.c.d:55406>, access level ALLOW
> 09/15/14 13:43:14 Calling HandleReq <receive_update> (0) for command 19
> (UPDATE_COLLECTOR_AD) from unauthenticated@unmapped <a.b.c.d:55406>
> 09/15/14 13:43:14 CollectorAd : Inserting ** "< name@xxxxx >"
> 09/15/14 13:43:14 stats: Inserting new hashent for 'Collector':'name@xxxxx
> 09/15/14 13:43:14 Return from HandleReq <receive_update> (handler: 0.000s,
> sec: 0.000s, payload: 0.000s)
Also to be expected. In this case, the message is misleading. The UDP packet
is not UNAUTHENTICATED as it claims... it is using an internal secret known
only to the Collector process. It seems in doing so, though, it's not properly
filling in the canonical name, and without code changes I don't believe there
is a way to specify this in the CERTIFICATE_MAPFILE. Hence, the authorization
Thanks for the data points. Again, I'll investigate a little further and get
back to you with more details.