[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Moving CM to new host

On 4/19/22 15:29, Bockelman, Brian wrote:

On Apr 19, 2022, at 2:55 PM, Michael Thomas <wart@xxxxxxxxxxx> wrote:

Hi Brian,

As always, you were right.  Changing the security requirements from 'OPTIONAL' to 'REQUIRED' fixed it.

I still don't quite understand why there are no token requests showing up or being generated in /etc/condor/tokens.d.  But since my startds and collector are talking with each other, I'm not going to worry about it.

Any possibility you have a common signing key (the "pool password") on each hosts?

If there's no token in place - but the pool password is present - the daemons will generate a token in-memory and use that to authenticate (recall: anyone with the signing key can create their own valid token).  The idea was to create a "graceful fallback" to PASSWD-like authentication and ease the transition for folks coming from that mechanism.

Yes, in fact I do have a pool password file on each host. The next time I get a chance, I'll remove the password file and see if the token requests start getting generated.