[HTCondor-users] GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION issue

[Carles Acosta <cacosta@xxxxxx>]

Dear all,

We have a strange behavior dealing with GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION and argus-pep-callout.

Reading the documentation, GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION considers theÂDN and VOMS FQAN but in our case, it seems that only takes into account the DN. In other words, the same DN with different VOMS FQAN is mapped to the same user without querying to the Argus server because we have a GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION of 30 minutes. In my opinion, this is not related to our Argus configuration since when the cache expires and HTCondor-CE queries the Argus server, it always maps correctly considering DN+VOMS FQAN. Furthermore, with GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION = 0, all the mapping is done correctly.Â

My interest in adding a GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION time around 30 minutes is to avoid high load in the CE. This is not a very important issue, as the major part of the DN are using always the same VOMS FQAN, but it affects the mapping for the SAM WLCG checks for instance.Â

Any ideas? I really do not know what to check and if this is related to my HTCondor/HTCondorCE config or some issue with the general argus-pep-callout config. I was checking with other colleaguesÂthat have similar configurations and they do not see this issue.

We are running HTcondor 8.6.6-1, HTCondor-CE 2.1.2 (and 3.0.1) andÂargus-gsi-pep-callout version is 1.3.1-2.

Thank you in advance.

Cheers,

Carles