[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Inconsistency in authorizations for condor_userprio



Hi Bert, 
 
It seems you are running up against some experimental code to give (as you guessed) fine grained control to some users  so they can set the prio factor of groups that they own.  

You should notâ be hitting this error message if you have ADMINISTRATOR access to the NEGOTIATOR.   HTCondor 9.0 has the same experimental code, so it is unexpected that one version works but the other does not.  The real problem is likely some other change to the config or to the HTCondor auth code. 

We are looking into this and will post an update when we figure out what is going wrong and/or find a workaround for you.

-tj


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Bert DeKnuydt <Bert.DeKnuydt@xxxxxxxxxxxxxxxx>
Sent: Thursday, January 6, 2022 8:47 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Inconsistency in authorizations for condor_userprio
 
Hello Condorists ...

I run HTCondor 9.0.8, on Rocky in this case, but that is irrelevant.

As root, from the Negotiator, or from another node I get:

> [root@aries8 ~]# condor_userprio -setceiling deknuydt@xxxxxxxxxxxxxxxx
> 123
The ceiling of deknuydt@xxxxxxxxxxxxxxxx was set to 123

--> Works as expected

[root@aries8 ~]# condor_userprio -setfactor deknuydt@xxxxxxxxxxxxxxxx 1
set priority factor failed: Not an administrator and authorization maps
(NEGOTIATOR_CLASSAD_USER_MAP_NAMES) is not set.

--> This nags and does nothing.

For all clarity, I do have ADMINISTRATOR rights:

[root@aries8 ~]# condor_ping  -address "<10.87.24.157:9618>" -table
ADMINISTRATOR
          Instruction Authentication Encryption Integrity Decision
Identity
        ADMINISTRATOR       PASSWORD        AES       AES    ALLOW
condor_pool@xxxxxxxxxxxxxxxx

I don't get what is going on here:

1) The first needs no particular extra security, but the second, with
similar implications to
the user, claims it does.

2) I cannot find any mention of NEGOTIATOR_CLASSAD_USER_MAP_NAMES in the
documentation.  I guess
it might be a map to map ordinary users to get some additional rights?

Seems I'm missing something here.  IIRC, in earlier 9.0.* this did NOT
happen.

Regards, B. DeKnuydt
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/