Hi,
Based on my conversation with Brian, I thought that SCHEDD.ALLOW_NEGOTIATOR and ALLOW_NEGOTIATOR_SCHEDD are different notations for the very same thing (aka. "synonyms").
However, it seems not to be the case. Could somebody explain what's going on?
# condor_version
$CondorVersion: 8.1.6 May 14 2014 BuildID: 247684 $
$CondorPlatform: x86_64_RedHat6 $
Case 1
# grep NEG /etc/condor/config.d/10_security.config
HOSTALLOW_NEGOTIATOR =
ALLOW_NEGOTIATOR = condor-service@$(UID_DOMAIN)/$(CMS)
...
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Permission WRITE
09/16/14 13:27:53 (pid:1351228) IPVERIFY: allow WRITE: *@Y.Z/*.Y.Z,*@fsauth/X.Y.Z (from config value ALLOW_WRITE)
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Permission NEGOTIATOR
09/16/14 13:27:53 (pid:1351228) IPVERIFY: allow NEGOTIATOR: Â (from config value ALLOW_NEGOTIATOR_SCHEDD)
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:27:53 (pid:1351228) IPVERIFY: Permission ADMINISTRATOR
...
09/16/14 13:17:32 (pid:1348940) PERMISSION DENIED to condor-service@xxx from host a.b.c.d for command 416 (NEGOTIATE), access level NEGOTIATOR: reason: NEGOTIATOR authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: a.b.c.d,W.Y.Z, hostname size = 1, original ip address = a.b.c.d
...
Case 2
# grep NEG /etc/condor/config.d/10_security.config
HOSTALLOW_NEGOTIATOR =
ALLOW_NEGOTIATOR = condor-service@$(UID_DOMAIN)/$(CMS)
SCHEDD.ALLOW_NEGOTIATOR = condor-service@$(UID_DOMAIN)/$(CMS)
...
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Permission WRITE
09/16/14 13:29:33 (pid:1351228) IPVERIFY: allow WRITE: *@Y.Z/*.Y.Z,*@fsauth/X.Y.Z (from config value ALLOW_WRITE)
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Permission NEGOTIATOR
09/16/14 13:29:33 (pid:1351228) IPVERIFY: allow NEGOTIATOR: Â (from config value ALLOW_NEGOTIATOR_SCHEDD)
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Subsystem SCHEDD
09/16/14 13:29:33 (pid:1351228) IPVERIFY: Permission ADMINISTRATOR
...
09/16/14 13:30:32 (pid:1351228) PERMISSION DENIED to condor-service@xxx from host a.b.c.d for command 416 (NEGOTIATE), access level NEGOTIATOR: reason: NEGOTIATOR authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: a.b.c.d,W.Y.Z, hostname size = 1, original ip address = a.b.c.d
...
Case 3
# grep NEG /etc/condor/config.d/10_security.configÂ
HOSTALLOW_NEGOTIATOR =
ALLOW_NEGOTIATOR = condor-service@$(UID_DOMAIN)/$(CMS)
SCHEDD.ALLOW_NEGOTIATOR = condor-service@$(UID_DOMAIN)/$(CMS)
ALLOW_NEGOTIATOR_SCHEDD = condor-service@$(UID_DOMAIN)/$(CMS)
...
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Subsystem SCHEDD
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Permission WRITE
09/16/14Â13:34:17Â(pid:1352401) IPVERIFY: allow WRITE: *@Y.Z/*.Y.Z,*@fsauth/X.Y.Z (from config value ALLOW_WRITE)
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Subsystem SCHEDD
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Permission NEGOTIATOR
09/16/14 13:34:17 (pid:1352401) IPVERIFY: allow NEGOTIATOR: condor-service@xxx/W.Y.Z (from config value ALLOW_NEGOTIATOR_SCHEDD)
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Subsystem SCHEDD
09/16/14 13:34:17 (pid:1352401) IPVERIFY: Permission ADMINISTRATOR
...
09/16/14 13:35:04 (pid:1352401) PERMISSION GRANTED to condor-service@xxx from host a.b.c.d for command 416 (NEGOTIATE), access level NEGOTIATOR: reason: NEGOTIATOR authorization policy allows IP address a.b.c.d; identifiers used for this remote host: a.b.c.d,W.Y.Z
...
Thanks,
Daniel
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}