[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] PERMISSION DENIED, but not really?



Hi all, 

I have a submit node that authenticates with a central manager (it flocks to) via GSI, while the execute nodes authenticate with this central manager via a pool password. After negotiation, the startd on the execute nodes throws authorization errors [1] when the schedd is attempting to perform CLAIM-related commands. The documentation [2] definitely does explicitly say that "it is necessary to explicitly authorize the submit side." However, despite having not done that (as far as I know), my jobs submitted at the submit node run to completion on the execute nodes without issue.

The ALLOW_* authorizations from the condor_config_val -dump on the execute node are provided here [3]. 

Can anyone help me understand why my jobs run successfully?

Thanks,

Marty Kandes
UCSD

[1]

02/17/17 02:25:10 PERMISSION DENIED to submit-side@matchsession from host 169.228.130.75 for command 442 (REQUEST_CLAIM), access level DAEMON: reason: DAEMON authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 169.228.130.75,pcf-osg.t2.ucsd.edu, hostname size = 1, original ip address = 169.228.130.75
02/17/17 02:25:10 Request accepted.
02/17/17 02:25:10 Remote owner is mkandes@xxxxxxxxxxxxxxxxxxx
02/17/17 02:25:10 State change: claiming protocol successful
02/17/17 02:25:10 Changing state: Unclaimed -> Claimed
02/17/17 02:25:10 PERMISSION DENIED to submit-side@matchsession from host 169.228.130.75 for command 444 (ACTIVATE_CLAIM), access level DAEMON: reason: cached result for DAEMON; see first case for the full reason
02/17/17 02:25:10 Got activate_claim request from shadow (169.228.130.75)
02/17/17 02:25:10 Remote job ID is 17085.0
02/17/17 02:25:10 Created encrypted dir /var/lib/condor/execute/encrypted0
02/17/17 02:25:12 Got universe "VANILLA" (5) from request classad
02/17/17 02:25:12 State change: claim-activation protocol successful
02/17/17 02:25:12 Changing activity: Idle -> Busy
02/17/17 02:25:13 CONFIGURATION PROBLEM: Failed to insert ClassAd attribute EC2InstanceID = i-03644912a163b69c0.  The most common reason for this is that you forgot to quote a string value in the list of attributes being added to the STARTD ad.
02/17/17 02:25:13 CONFIGURATION PROBLEM: Failed to insert ClassAd attribute EC2InstanceID = i-03644912a163b69c0.  The most common reason for this is that you forgot to quote a string value in the list of attributes being added to the slot1 ad.
02/17/17 02:25:19 PERMISSION DENIED to submit-side@matchsession from host 169.228.130.75 for command 404 (DEACTIVATE_CLAIM_FORCIBLY), access level DAEMON: reason: cached result for DAEMON; see first case for the full reason

[2]


[3]

ALLOW_ADMIN_COMMANDS = true
ALLOW_ADMINISTRATOR = $(CONDOR_HOST)
ALLOW_NEGOTIATOR = $(CONDOR_HOST)
ALLOW_NEGOTIATOR_SCHEDD = $(ALLOW_NEGOTIATOR) $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_OWNER = $(FULL_HOSTNAME) $(IP_ADDRESS) condor_pool@*/*
ALLOW_READ = *
ALLOW_READ_COLLECTOR = $(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD = $(ALLOW_READ) $(FLOCK_FROM)
ALLOW_VM_CRUFT = false
ALLOW_WRITE = $(FULL_HOSTNAME) $(IP_ADDRESS)
ALLOW_WRITE_COLLECTOR = $(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD = $(ALLOW_WRITE) $(FLOCK_FROM)