Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] User-Level Access Control Configuration
- Date: Sun, 4 Feb 2007 23:51:28 -0800 (PST)
- From: "Joseph D. Kulisics" <kulisics@xxxxxxxxxxxxx>
- Subject: [Condor-users] User-Level Access Control Configuration
I've been having many problems getting condor working, so I decided to
start from the beginning and very carefully configure the service on only
one machine, the central manager.
I thought that I should try from the beginning to configure user-level
access rather than trying to tighten access to the system later. I have
Kerberos authentication, and I would like to make it work. I also set up a
pool password as a fallback for machines that won't have a Kerberos
principal.
When I start the service, I'm able to query the queue. Here is a typical
example:
----------
kulisics@arsenic-> condor_q -debug
2/4 23:37:18 KEYCACHE: created: 0x840fd20
2/4 23:37:18 STARTCOMMAND: starting 1111 to <169.232.135.121:9686> on TCP
port 9737.
2/4 23:37:18 SECMAN: command 1111 to <169.232.135.121:9686> on TCP port
9737 (blocking).
2/4 23:37:18 SECMAN: new session, doing initial authentication.
2/4 23:37:18 SECMAN: Auth methods: KERBEROS,PASSWORD,FS,FS_REMOTE
2/4 23:37:18 HANDSHAKE: in handshake(my_methods =
'KERBEROS,PASSWORD,FS,FS_REMOTE')
2/4 23:37:18 HANDSHAKE: handshake() - i am the client
2/4 23:37:18 HANDSHAKE: sending (methods == 588) to server
2/4 23:37:18 HANDSHAKE: server replied (method = 64)
2/4 23:37:18 KERBEROS: krb5_unparse_name:
host/arsenic.chem.ucla.edu@xxxxxxxxxxxxx
2/4 23:37:18 KERBEROS: no user yet determined, will grab up to slash
2/4 23:37:18 KERBEROS: picked user: host
2/4 23:37:18 KERBEROS: remapping 'host' to 'condor'
2/4 23:37:18 Client is condor@xxxxxxxxxxxxx
2/4 23:37:18 KERBEROS: Server principal is
host/arsenic.chem.ucla.edu@xxxxxxxxxxxxx
2/4 23:37:18 Acquiring credential for user
2/4 23:37:18 Successfully located credential cache
2/4 23:37:18 Remote host is 169.232.135.121
2/4 23:37:18 Authentication was a Success.
2/4 23:37:18 SECMAN: successfully enabled message authenticator!
2/4 23:37:18 SECMAN: successfully enabled encryption!
2/4 23:37:18 SECMAN: added session arsenic:26905:1170661038:7 to cache for
60 seconds.
2/4 23:37:18 SECMAN: startCommand succeeded.
-- Submitter: arsenic.chem.ucla.edu : <169.232.135.121:9686> :
arsenic.chem.ucla.edu
ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD
0 jobs; 0 idle, 0 running, 0 held
----------
Here is the output of condor_status:
----------
kulisics@arsenic-> condor_status -debu
2/4 23:38:01 KEYCACHE: created: 0x835efd0
2/4 23:38:01 STARTCOMMAND: starting 5 to <169.232.135.121:9618> on TCP
port 9667.
2/4 23:38:01 SECMAN: command 5 to <169.232.135.121:9618> on TCP port 9667
(blocking).
2/4 23:38:01 SECMAN: new session, doing initial authentication.
2/4 23:38:01 SECMAN: Auth methods: KERBEROS,PASSWORD,FS,FS_REMOTE
2/4 23:38:01 HANDSHAKE: in handshake(my_methods =
'KERBEROS,PASSWORD,FS,FS_REMOTE')
2/4 23:38:01 HANDSHAKE: handshake() - i am the client
2/4 23:38:01 HANDSHAKE: sending (methods == 588) to server
2/4 23:38:01 HANDSHAKE: server replied (method = 64)
2/4 23:38:01 KERBEROS: krb5_unparse_name:
host/arsenic.chem.ucla.edu@xxxxxxxxxxxxx
2/4 23:38:01 KERBEROS: no user yet determined, will grab up to slash
2/4 23:38:01 KERBEROS: picked user: host
2/4 23:38:01 KERBEROS: remapping 'host' to 'condor'
2/4 23:38:01 Client is condor@xxxxxxxxxxxxx
2/4 23:38:01 KERBEROS: Server principal is
host/arsenic.chem.ucla.edu@xxxxxxxxxxxxx
2/4 23:38:01 Acquiring credential for user
2/4 23:38:01 Successfully located credential cache
2/4 23:38:01 Remote host is 169.232.135.121
2/4 23:38:01 Authentication was a Success.
2/4 23:38:01 SECMAN: successfully enabled message authenticator!
2/4 23:38:01 SECMAN: successfully enabled encryption!
2/4 23:38:01 SECMAN: added session arsenic:26903:1170661081:32 to cache
for 60 seconds.
2/4 23:38:01 SECMAN: startCommand succeeded.
----------
The problem is that the central manager is supposed to be an execute and
submit host as well in this testing configuration, but, as you can see, it
doesn't appear in the output of condor_status. The CollectorLog has the
following error message:
----------
2/4 23:41:09 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9696>.
2/4 23:41:09 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9696>
2/4 23:41:09 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649610:7 given to <169.232.135.121:9745>:
2/4 23:41:09 DC_AUTHENTICATE: Success.
2/4 23:41:09 Got SIGHUP. Re-reading config files.
2/4 23:41:09 In ViewServer::Config()
2/4 23:41:09 In CollectorDaemon::Config()
2/4 23:41:09 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9730>.
2/4 23:41:09 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9730>
2/4 23:41:09 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649433:4 given to <169.232.135.121:9664>:
2/4 23:41:09 DC_AUTHENTICATE: Success.
2/4 23:41:09 IPVERIFY: matched with *
2/4 23:41:09 IPVERIFY: matched with *
2/4 23:41:09 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9730> for command 2 (UPDATE_MASTER_AD)
2/4 23:41:09 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9715>.
2/4 23:41:09 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9715>
2/4 23:41:09 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649429:3 given to <169.232.135.121:9660>:
2/4 23:41:09 DC_AUTHENTICATE: Success.
2/4 23:41:09 IPVERIFY: matched with *
2/4 23:41:09 IPVERIFY: matched with *
2/4 23:41:09 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9715> for command 1 (UPDATE_SCHEDD_AD)
2/4 23:41:09 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9725>.
2/4 23:41:09 DC_AUTHENTICATE: packet from <169.232.135.121:9744> uses MD5
session arsenic:26903:1170649429:2.
2/4 23:41:09 MD verified!
2/4 23:41:09 DC_AUTHENTICATE: message authenticator enabled with key id
arsenic:26903:1170649429:2.
2/4 23:41:09 DC_AUTHENTICATE: packet from <169.232.135.121:9744> uses
crypto session arsenic:26903:1170649429:2.
2/4 23:41:09 DC_AUTHENTICATE: encryption enabled with key id
arsenic:26903:1170649429:2.
2/4 23:41:09 DC_AUTHENTICATE: authenticated UDP message is from
condor@xxxxxxxxxxxxxx
2/4 23:41:09 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9725>
2/4 23:41:09 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649429:2 given to <169.232.135.121:9672>:
2/4 23:41:09 DC_AUTHENTICATE: Success.
2/4 23:41:09 IPVERIFY: hoststring: arsenic.chem.ucla.edu
2/4 23:41:09 IPVERIFY: hoststring: arsenic
2/4 23:41:09 DaemonCore: PERMISSION DENIED to condor@xxxxxxxxxxxxx from
host <169.232.135.121:9725> for command 49 (UPDATE_NEGOTIATOR_AD)
2/4 23:41:10 STARTCOMMAND: starting 60008 to <169.232.135.121:9651> on UDP
port 9687.
2/4 23:41:10 SECMAN: command 60008 to <169.232.135.121:9651> on UDP port
9687 (blocking).
2/4 23:41:10 SECMAN: using session arsenic:26902:1170649429:1 for
{<169.232.135.121:9651>,<60008>}.
2/4 23:41:10 SECMAN: UDP, have_session == 1, can_neg == 1
2/4 23:41:10 SECMAN: startCommand succeeded.
2/4 23:41:13 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9726>.
2/4 23:41:13 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9726>
2/4 23:41:13 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649439:5 given to <169.232.135.121:9709>:
2/4 23:41:13 DC_AUTHENTICATE: Success.
2/4 23:41:13 IPVERIFY: matched with *
2/4 23:41:13 IPVERIFY: matched with *
2/4 23:41:13 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9726> for command 0 (UPDATE_STARTD_AD)
2/4 23:41:14 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9706>.
2/4 23:41:14 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9706>
2/4 23:41:14 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649439:5 given to <169.232.135.121:9709>:
2/4 23:41:14 DC_AUTHENTICATE: Success.
2/4 23:41:14 IPVERIFY: matched with *
2/4 23:41:14 IPVERIFY: matched with *
2/4 23:41:14 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9706> for command 0 (UPDATE_STARTD_AD)
2/4 23:41:15 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9703>.
2/4 23:41:15 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9703>
2/4 23:41:15 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649439:5 given to <169.232.135.121:9709>:
2/4 23:41:15 DC_AUTHENTICATE: Success.
2/4 23:41:15 IPVERIFY: matched with *
2/4 23:41:15 IPVERIFY: matched with *
2/4 23:41:15 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9703> for command 0 (UPDATE_STARTD_AD)
2/4 23:41:16 DC_AUTHENTICATE: received UDP packet from
<169.232.135.121:9712>.
2/4 23:41:16 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<169.232.135.121:9712>
2/4 23:41:16 DC_AUTHENTICATE: resuming session id
arsenic:26903:1170649439:5 given to <169.232.135.121:9709>:
2/4 23:41:16 DC_AUTHENTICATE: Success.
2/4 23:41:16 IPVERIFY: matched with *
2/4 23:41:16 IPVERIFY: matched with *
2/4 23:41:16 DaemonCore: PERMISSION DENIED to unknown user from host
<169.232.135.121:9712> for command 0 (UPDATE_STARTD_AD)
----------
I can't seem to find any level of debugging that will tell me where the
identity of the user that the collector is rejecting or what
authentication methods the collector tried to use. There are no other
DENIED messages in the other logs. I'm attaching a copy of my
configuration file. Of course, I can make this work by setting up the
host-based access variables, but then I lose the ability to do any
authentication. Can someone offer some suggestions? Thanks,
Joseph Kulisics
_____________________________________________________
For the judgement of mankind is as relentless to the weakness that falls
short of a recognized renown, as it is jealous of the arrogance that
aspires higher than its due.
Pericles as quoted by Thucydides,
Book II of his history of the Peloponnesian War
Attachment:
condor_config
Description: Binary data