[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] PERMISSION DENIED, but not really?

> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Kandes, Martin
> Sent: Friday, February 17, 2017 8:11 PM
> To: htcondor-users@xxxxxxxxxxx
> Subject: [HTCondor-users] PERMISSION DENIED, but not really?
> Hi all,
> I have a submit node that authenticates with a central manager (it flocks
> to) via GSI, while the execute nodes authenticate with this central manager
> via a pool password. After negotiation, the startd on the execute nodes
> throws authorization errors [1] when the schedd is attempting to perform
> CLAIM-related commands. The documentation [2] definitely does explicitly
> say that "it is necessary to explicitly authorize the submit side."
> However, despite having not done that (as far as I know), my jobs submitted
> at the submit node run to completion on the execute nodes without issue.

That section of the manual appears to have been written before we added the MATCH_PASSWORD functionality.  Now, when using match password, HTCondor dynamically adds and removes authorizations when establishing the match, although it appears it might not be doing so correctly, sort of implying that [2] is at least still partially true.

Those log messages are beyond confusing.  I'm still digging into exactly what might be going on here, but I think I at least understand why the job is running.  If you can replicate the problem with a higher debug level (D_ALL:2 for the StartLog on the execute machine and ShadowLog on the submit machine) there will be (MUCH) more info.  Feel free to send that to me off-list if you like.

You can solve the actual problem by explicitly adding the authorizations to ALLOW_WRITE.  I assume you are just following up on this as a curiosity, so thanks for that.  I definitely want to understand the problem and fix any resulting issues.