[HTCondor-users] setting up condor-9.0.4 with some newbie questions

[Mary Hester <maryh@xxxxxxxxx>]

Hello,

I'm setting up a test htcondor cluster coupled with an ARC-CE, and I've
started grasping at straws for how to correctly implement the new 9.0
security model using the IDTOKENs for authentication and then defining
the correct authorisation rules. I'm still new to htcondor and I've been
following the instructions closely between these two sections:

https://htcondor.readthedocs.io/en/v9_0/admin-manual/security.html#quick-configuration-of-security

https://htcondor.readthedocs.io/en/v9_0/admin-manual/security.html#example-of-authorization-security-configuration

however, for the authorisation, I'm still seeing these errors in
/var/log/condor/CollectorLog:

08/16/21 18:40:51 (Sending 3 ads in response to query)
08/16/21 18:40:51 Query info: matched=3; skipped=8; query_time=0.000392;
send_time=0.000731; type=Any; requirements={(((MyType == "Submitter"))
|| ((MyType == "Machine")))}; locate=0; limit=0; from=COLLECTOR;
peer=<XXXX>; projection={}; filter_private_ads=0
08/16/21 18:40:51 QueryWorker: forked new high priority worker with id
32536 ( max 4 active 1 pending 0 )
08/16/21 18:41:00 DC_AUTHENTICATE: authentication of <XXXX> was
successful but resulted in a limited authorization which did not include
this command (5 QUERY_STARTD_ADS), so aborting.
08/16/21 18:41:00 DC_AUTHENTICATE: Command not authorized, done!

I'm using the same ALLOW_* statements defined at
https://htcondor.readthedocs.io/en/v9_0/admin-manual/security.html#example-of-authorization-security-configuration
but this doesn't seem to be the case, and if I define nothing or some
very 'open' version of those rules, I still see the same error. I ran
the condor_token_request_auto_approve for the netblock block the servers
are in so that shouldn't be the blocking factor (I think)... Can you
give me some hints as to how to fix the limited authorisation problem?

Thanks,

Mary