Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor-CE problem with condor_ce_router_q

Hi Stewart,

D'oh, that's right -- we change the order of the client auth methods in the client script wrapper. Could you try setting `TOOL.SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS, PASSWORD` then reconfiguring? If that works, I'll work on removing our override in the wrapper and set it in the configuration instead.

If that doesn't work, you should be able to run `_condor_SEC_CLIENT_AUTHENTICATION_METHODS=GSI,FS,PASSWORD condor_ce_router_q`.

Thanks,
Brian

On 10/18/19 9:04 AM, Stewart Martin-Haugh wrote:
Hi Brian,

It's taking it from the environment:
SEC_CLIENT_AUTHENTICATION_METHODS = GSI,FS
 # at: <Environment>

despite me setting it in the 01-common-auth.conf file.

Cheers,
Stewart

On Fri, 18 Oct 2019 at 14:52, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,

Try running `condor_ce_config_val -v SEC_CLIENT_AUTHENTICATION_METHODS`; that'll tell you which file is setting that configuration.

- Brian

On 10/18/19 4:08 AM, Stewart Martin-Haugh wrote:
Hi Brian,

I tried this but I still don't see the changed value - I've reconfigured and restarted, and I see:

condor_ce_config_val -dump | grep SEC_CLIENT_AUTHENTICATION_METHODS
SEC_CLIENT_AUTHENTICATION_METHODS = GSI,FS

grep SEC_CLIENT_AUTHENTICATION_METHODS /etc/condor-ce/config.d/ -r
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = FS,GSI
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD

I also tried putting it in a different file just in case, same result.

Cheers,
Stewart



Cheers,
Stewart



On Thu, 17 Oct 2019 at 19:34, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,

I suspect that you may need to configure HTCondor-CE to use the same pool password as the condor pool (as well as enabling PASSWORD auth).

1) So set the following in `/etc/condor-ce/config.d/:

    SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
    SEC_PASSWORD_FILE = /etc/condor/private/poolpassword

2) Then run condor_ce_reconfig.

If that doesn't work, we'll need to debug further:

On your central manager, set `COLLECTOR_DEBUG = $(COLLECTOR_DEBUG) D_CAT D_ALWAYS:2 D_SECURITY` and start tailing the log. On your CE host, run `condor_ce_router_q` and you should be able to see corresponding authorization messages in your CM's CollectorLog.

- Brian

On 10/10/19 3:00 PM, Stewart Martin-Haugh wrote:
Hi Brian,

Thanks for the quick response.

rpm -q htcondor-ce condor
htcondor-ce-3.2.2-1.el7.noarch
condor-8.8.4-1.el7.x86_64

No errors on the CE. On the CM I don't see any recent PERMISSION DENIED errors - there are some from earlier today but we've been working on the configuration. Those errors are, for completeness:

/var/log/condor/CollectorLog:10/10/19 10:59:13 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/CollectorLog:10/10/19 12:54:24 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/NegotiatorLog:10/10/19 14:59:57 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 421 (Reschedule), access level DAEMON: reason: DAEMON authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444

condor_config is as follows:

ALLOW_DAEMON = condor_pool@xxxxxxxxxxxxxxx/*.gridpp.rl.ac.uk, $(FULL_HOSTNAME), submit-side@matchsession, condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk, 111.222.333.444
CES = condor_pool@xxxxxxxxxxxxxxx/arc.gridpp.rl.ac.uk,condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk
COLLECTOR.ALLOW_ADVERTISE_MASTER = $(CES), $(CMS), $(WNS)
COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(CES)
COLLECTOR.ALLOW_ADVERTISE_STARTD = $(WNS)

Cheers,
Stewart


On Thu, 10 Oct 2019 at 16:40, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,

Which HTCondor and HTCondor-CE versions/packages are you running, e.g. `rpm -q htcondor-ce condor`?

Do you see any corresponding PERMISSION_DENIED errors in `/var/log/condor/SchedLog` on your CE host or `/var/log/condor/CollectorLog` on your central manager?

Thanks,
Brian

On 10/10/19 10:24 AM, Stewart Martin-Haugh wrote:
Hi,

We're setting up a HTCondor-CE instance at RAL Tier-1, and we're trying to submit to a central manager.

Checking the job routing gives an error:
condor_ce_router_q
   JOBS ST Route                GridResource
Error: Couldn't contact the condor_collector on

 condor_ce_status -any returns the expected daemons. We can't see anything else obviously wrong with the configuration.

Cheers,
Stewart

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/