[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] IDTOKENS and cli

I'm still flailing about trying to get idtokens working on a new 9.0.12 schedd in my cluster.

I was finally able to get the schedd talking to the collector by issuing a new token with condor_token_create (and a long list of permissions), then signing it on the CM:

condor_token_create -identity schedd@xxxxxxxxxxxxxxxxxxxxxxxx -authz DAEMON -authz UPDATE_SCHEDD_AD -authz READ -authz WRITE -authz QUERY_STARTD_ADS -authz UPDATE_AD_GENERIC -authz ADMINISTRATOR

However, I'm unable to get some CLI commands to work. Notably, the 'condor_status' command, when run as root, returns:

# condor_status
Error: communication error
SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

The collector reports the following error:

04/25/22 16:41:03 DC_AUTHENTICATE: message authenticator enabled with key id ldas-condor:2734:1650922863:33339.
04/25/22 16:41:03 DC_AUTHENTICATE: Success.
04/25/22 16:41:03 DC_AUTHENTICATE: authentication of <> was successful but resulted in a limited authorization which did not include this command (5 QUERY_STARTD_ADS), so aborting.

...which seems odd considering that I explicitly included QUERY_STARTD_ADS in the token request above.

As a user, it won't even authenticate:

$ condor_status
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
AUTHENTICATE:1004:Failed to authenticate using FS

Any suggestions on where to look next?