[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Antw: Re: Antw: Re: Authentication for remote-submit



Is it possible do the remote submit on a Linux machine?

Thanks,
Werner
>>> John M Knoeller <johnkn@xxxxxxxxxxx> 01.08.2019 17:42 >>>
On Windows, there is no such thing as an account that is allowed to impersonate anyone, even the LOCAL_SYSTEM account canât do that.
So In order to impersonate a user HTCondor has to have a stored credential for that user. 
 
In practice, that means that HTCondor can only impersonate users that have used condor_store_cred to
store their username and password with HTCondor on that machine.   If you run a CREDD_HOST, then the credential store
can be shared across machines,  if you donât then condor_store_cred has to be run by each user on each machine.
 
In normal operation, you should not be able to fetch the files from the schedd unless you authenticate to the schedd
as the same fully qualified username as the one the schedd thinks owns that ClusterId.   
 
Configuring the remote schedd to think that the identity that you authenticate as is a QUEUE_SUPERUSER should allow you fetch
the files for a job that had completed.   It wonât help you submit jobs, for that HTCondor on Windows must have the credential that
condor_store_cred saves.
 
-tj
 
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Werner KoppelstÃtter
Sent: Thursday, August 1, 2019 9:48 AM
To: htcondor-users@xxxxxxxxxxx
Subject: [HTCondor-users] Antw: Re: Authentication for remote-submit
 
Hi Brian,
 
Yes it looks like a problem with authorization.
 
Spooling files works fine. The jobs finished and all files exists in the spool-folder. These files have windows read and write permissions for everyone.
The problem occurs when transferring the files from the remote-schedd to the local machine using python-binding ('schedd.retrieve("ClusterId == %d" % id)').
 
I already tried:
ALLOW_READ = *
ALLOW_WRITE = *
ALLOW_ADMINISTRATOR = *
ALLOW_CONFIG = *
ALLOW_NEGOTIATOR = *
ALLOW_DAEMON = *
ALLOW_ADVERTISE_MASTER = *
ALLOW_ADVERTISE_STARTD = *
ALLOW_ADVERTISE_SCHEDD = *
ALLOW_CLIENT = *
ALLOW_OWNER = *
ALLOW_NEGOTIATOR_SCHEDD = *
ALLOW_WRITE_STARTD = *
ALLOW_READ_STARTD = *
ALLOW_READ_COLLECTOR = *
ALLOW_READ_SCHEDD = *
ALLOW_WRITE_SCHEDD = *
 
Any idea which settings do I need get permission to retrive these files?
 
Thanks,
Werner
>>> "Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx> 29.07.2019 15:08 >>>
Hi Werner,
 
(I'm not a Windows person, just guessing from the error messages)
 
The schedd appears to be trying to change to the specific user ("EAL\wkoppelstaetter" ?) in order to write the spooled files as that person.  Since the account doesn't exist, a failure is returned.
 
I don't think it's really a matter of authentication - you are authenticated successfully it seems - but of authorization.  Unlike the startd running jobs, the schedd requires a local account to exist in order to spool jobs and launch the condor_shadow process.
 
Brian
 
> On Jul 26, 2019, at 8:38 AM, Werner KoppelstÃtter <Werner.Koppelstaetter@xxxxxx> wrote:
>
> Hi all,
>
> I try to submit jobs on a remote machine via python binding.
> If I had a account on the other machine it works fine.
> I user condor version 8.8.4 on windows OS. Collector, Submitter and Starter are on one (remote) machine.
>
> If there is no account on the submit-machine it does'nt work.
>
> I tried to change the authentication for testing.
> SEC_WRITE_AUTHENTICATION_METHODS = CLAIMTOBE
> SEC_READ_AUTHENTICATION_METHODS = CLAIMTOBE
>
> For this settings the job starts and finished, but I receive no files from the job (output-file, error-file, results)
> What am I doing wrong? How can I make it work?
>
> Submit the job with:
> id = schedd.submit(ads, spool=True, ad_results=ads_res)
> schedd.spool(ads_res)
>
> Retrieve Files:
> schedd.retrieve("ClusterId == %d" % id)
>
> I got this error:
> RuntimeError: DCSchedd::receiveJobSandbox:7003:File transfer failed for target j
> ob 9.0: SCHEDD at 10.78.140.5 failed to send file(s) to <10.78.140.29:60956>: er
> ror reading from C:\condor\spool\9\0\cluster9.proc0.subproc0\model.ans: permissi
> on denied; TOOL failed to receive file(s) from <10.78.140.5:9618>
>
> In the SchedLog there are the following lines:
> 07/26/19 14:27:38 (pid:13688) perm::init: Lookup Account Name EAL\wkoppelstaetter failed (err=1332), trying wkoppelstaetter
> 07/26/19 14:27:38 (pid:13688) perm::init: Lookup Account Name EAL\wkoppelstaetter failed (err=1332), using Everyone
> 07/26/19 14:27:38 (pid:13688) DoUpload: (Condor error code 13, subcode 1) SCHEDD at 10.78.140.5 failed to send file(s) to <10.78.140.29:60956>: error reading from C:\condor\spool\9\0\cluster9.proc0.subproc0\model.ans: permission denied; TOOL failed to receive file(s) from <10.78.140.5:9618>
> 07/26/19 14:27:38 (pid:13688) (cid:2297) generalJobFilesWorkerThread(): failed to transfer files for job 9.0
> 07/26/19 14:27:38 (pid:13688) condor_write(): Socket closed when trying to write 13 bytes to <10.78.140.29:60956>, fd is 1052
> 07/26/19 14:27:38 (pid:13688) Buf::write(): condor_write() failed
> 07/26/19 14:27:38 (pid:13688) ERROR - Staging of job files failed!
>
> Best regards,
> Werner
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
 
>
> The archives can be found at:
 
 
 
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
 
 
The archives can be found at: