[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Condor mapfile


Definitely set the debug levels as Steve suggested and we should be able to figure out what is happening.

HTCondor does pass the entire FQAN as input when using the mapfile so I would expect that regexes should be able to match against those attributes.

Let's see what the debug logs say.  They are *extremely* verbose with both D_SECURITY and D_FULLDEBUG enabled, so if you would like me to look at it and extract the useful parts just let me know.


ïOn 6/29/20, 4:30 PM, "HTCondor-users on behalf of Steven C Timm" <htcondor-users-bounces@xxxxxxxxxxx on behalf of timm@xxxxxxxx> wrote:

    You might want to look at the lcmaps_voms package which can be used to properly parse VO attributes in proxies and let you set up a real voms-mapfile as opposed to trying to do it all in the condor_mapfile.

    But as for debugging the mapfile, set

    all the debugs to 


    and it will let you know what is mapping as what.

    I believe what is getting you in the current config, is that the FQAN is not presented
    to the GSI mapping function in the condor_mapfile, it can only see the DN which is the first part before the /dune/Role=.... 
    so the wild cards you have in the condor_mapfile that contain roles
    will not match that way

    You will have to set up your mapfile based only on DN's.. since the submission DN is always different for Alice, LHCB, and DUNE it shouldn't be hard.

    The job_Router entries based on x509userproxyfirstfqan should work though
    and you can use those job_router entries to assign an AccountingGroup and thus keep track of which jobs are which.

    Steve Timm

    From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of ejunior@xxxxxxx <ejunior@xxxxxxx>
    Sent: Monday, June 29, 2020 4:18 PM
    To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
    Subject: [HTCondor-users] Condor mapfile  

    Hi all,

    first of all my condor installation:
    $CondorVersion: 8.8.9 May 06 2020 BuildID: 503068 PackageID: 8.8.9-1 $
    $CondorPlatform: x86_64_CentOS7 $

    I'm trying to setup my mapfile without success.

    Here the FQANs that I want to map:

    x509UserProxyFQAN =  
    "/DC=org/DC=incommon/C=US/ST=Illinois/L=Batavia/O=Fermi Research  
    x509UserProxyFQAN = "/DC=ch/DC=cern/OU=Organic  
    Units/OU=Users/CN=user/CN=0000/CN=Name Last  
    x509UserProxyFQAN = "/DC=ch/DC=cern/OU=Organic  
    Units/OU=Users/CN=user/CN=0000/CN=Name Last  

    Here my configuration files:

    Extract of condor_mapfile
    GSI ".*,\/alice\/Role\=.*" user_alice
    GSI ".*,\/lhcb\/Role\=.*" user_lhcb
    GSI ".*,\/dune\/Role\=.*" user_dune
    GSI (.*) user_others
    CLAIMTOBE .* anonymous@claimtobe
    FS (.*) \1


    Extract of Job_router:
       TargetUniverse = 5;
         name = "Filtering alice jobs";
       Requirements = regexp("\/alice\/Role\=*", TARGET.x509UserProxyFirstFQAN);

       TargetUniverse = 5;
         name = "Filtering LHCb jobs";
       Requirements = regexp("\/lhcb\/Role\=*", TARGET.x509UserProxyFirstFQAN);

       TargetUniverse = 5;
         name = "Filtering Dune jobs";
       Requirements = regexp("\/dune\/Role\=*", TARGET.x509UserProxyFirstFQAN);


    What I'm doing wrong ?

    Best regards,

    Eraldo Jr
    HTCondor-users mailing list
    To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
    subject: Unsubscribe
    You can also unsubscribe by visiting

    The archives can be found at: