Hi Brian,
That doesn't work - I get
ERROR
SECMAN:2010:Received "DENIED" from server for user condor_pool@xxxxxxxxxxxxxxxxxx using method PASSWORD.
Can't send Reconfig command to local master
However, something seems to have changed, because I getcondor_ce_router_q -v
JOBS ST Route GridResource
Error: Collector has no record of schedd/submitter
which is different, if not necessarily better...
Cheers,Stewart
On Fri, 18 Oct 2019 at 15:21, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,
D'oh, that's right -- we change the order of the client auth methods in the client script wrapper. Could you try setting `TOOL.SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS, PASSWORD` then reconfiguring? If that works, I'll work on removing our override in the wrapper and set it in the configuration instead.
If that doesn't work, you should be able to run `_condor_SEC_CLIENT_AUTHENTICATION_METHODS=GSI,FS,PASSWORD condor_ce_router_q`.
Thanks,
Brian
On 10/18/19 9:04 AM, Stewart Martin-Haugh wrote:
Hi Brian,
It's taking it from the environment:SEC_CLIENT_AUTHENTICATION_METHODS = GSI,FS
# at: <Environment>
despite me setting it in the 01-common-auth.conf file.
Cheers,Stewart
On Fri, 18 Oct 2019 at 14:52, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,
Try running `condor_ce_config_val -v SEC_CLIENT_AUTHENTICATION_METHODS`; that'll tell you which file is setting that configuration.
- Brian
On 10/18/19 4:08 AM, Stewart Martin-Haugh wrote:
Hi Brian,
I tried this but I still don't see the changed value - I've reconfigured and restarted, and I see:
condor_ce_config_val -dump | grep SEC_CLIENT_AUTHENTICATION_METHODS
SEC_CLIENT_AUTHENTICATION_METHODS = GSI,FS
grep SEC_CLIENT_AUTHENTICATION_METHODS /etc/condor-ce/config.d/ -r
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = FS,GSI
/etc/condor-ce/config.d/01-common-auth.conf:SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
I also tried putting it in a different file just in case, same result.
Cheers,Stewart
Cheers,Stewart
On Thu, 17 Oct 2019 at 19:34, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,
I suspect that you may need to configure HTCondor-CE to use the same pool password as the condor pool (as well as enabling PASSWORD auth).
1) So set the following in `/etc/condor-ce/config.d/:
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
SEC_PASSWORD_FILE = /etc/condor/private/poolpassword
2) Then run condor_ce_reconfig.
If that doesn't work, we'll need to debug further:
On your central manager, set `COLLECTOR_DEBUG = $(COLLECTOR_DEBUG) D_CAT D_ALWAYS:2 D_SECURITY` and start tailing the log. On your CE host, run `condor_ce_router_q` and you should be able to see corresponding authorization messages in your CM's CollectorLog.
- Brian
On 10/10/19 3:00 PM, Stewart Martin-Haugh wrote:
Hi Brian,
Thanks for the quick response.
rpm -q htcondor-ce condor
htcondor-ce-3.2.2-1.el7.noarch
condor-8.8.4-1.el7.x86_64
No errors on the CE. On the CM I don't see any recent PERMISSION DENIED errors - there are some from earlier today but we've been working on the configuration. Those errors are, for completeness:
/var/log/condor/CollectorLog:10/10/19 10:59:13 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/CollectorLog:10/10/19 12:54:24 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: ADVERTISE_SCHEDD authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
/var/log/condor/NegotiatorLog:10/10/19 14:59:57 PERMISSION DENIED to condor_pool@xxxxxxxxxxxxxxx from host 111.222.333.444 for command 421 (Reschedule), access level DAEMON: reason: DAEMON authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 111.222.333.444,host-111-222-333-444.nubes.stfc.ac.uk, hostname size = 1, original ip address = 111.222.333.444
condor_config is as follows:
ALLOW_DAEMON = condor_pool@xxxxxxxxxxxxxxx/*.gridpp.rl.ac.uk, $(FULL_HOSTNAME), submit-side@matchsession, condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk, 111.222.333.444
CES = condor_pool@xxxxxxxxxxxxxxx/arc.gridpp.rl.ac.uk,condor_pool@xxxxxxxxxxxxxxx/host-111-222-333-444.nubes.stfc.ac.uk
COLLECTOR.ALLOW_ADVERTISE_MASTER = $(CES), $(CMS), $(WNS)
COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(CES)
COLLECTOR.ALLOW_ADVERTISE_STARTD = $(WNS)
Cheers,Stewart
On Thu, 10 Oct 2019 at 16:40, Brian Lin <blin@xxxxxxxxxxx> wrote:
Hi Stewart,
Which HTCondor and HTCondor-CE versions/packages are you running, e.g. `rpm -q htcondor-ce condor`?
Do you see any corresponding PERMISSION_DENIED errors in `/var/log/condor/SchedLog` on your CE host or `/var/log/condor/CollectorLog` on your central manager?
Thanks,
Brian
On 10/10/19 10:24 AM, Stewart Martin-Haugh wrote:
Hi,
We're setting up a HTCondor-CE instance at RAL Tier-1, and we're trying to submit to a central manager.
Checking the job routing gives an error:
condor_ce_router_qJOBS ST Route GridResource
Error: Couldn't contact the condor_collector on
condor_ce_status -any returns the expected daemons. We can't see anything else obviously wrong with the configuration.
Cheers,Stewart
_______________________________________________ HTCondor-users mailing list To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a subject: Unsubscribe You can also unsubscribe by visiting https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users The archives can be found at: https://lists.cs.wisc.edu/archive/htcondor-users/