Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] GSI authentication succeeds but authorization fails

Date: Tue, 25 Sep 2007 14:29:50 -0500
From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Subject: Re: [Condor-users] GSI authentication succeeds but authorization fails

Scott Koranda wrote:

Note that
[root@ldg-portal log]# cat /etc/grid-security/grid-mapfile.condor"/DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488" skoranda


I think you want to have this in your map file instead:

"/DC=org/DC=doegrids/OU=People/CN=Scott Koranda 212488"skoranda@xxxxxxxxxxxx


i.e., the Condor map file desires fully qualified user names (user@domain).

-Todd

When, however, I try to tighten up the authorization by setting

ALLOW_READ = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.eduALLOW_WRITE = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu

then I as a user with the same GSI proxy credential am notauthorized:


[skoranda@ldg-portal ~]$ /opt/condor/bin/condor_q

-- Failed to fetch ads from: <129.89.61.100:44342> :ldg-portal.phys.uwm.edu


In the SchedLog I see

MyType = "" TargetType = "" Authentication = "YES" Encryption = "YES"
 Integrity = "YES" AuthMethodsList = "GSI" CryptoMethods =
"3DES,BLOWFISH" SessionDuration = "60" Enact = "YES" AuthMethods =
"GSI" Subsystem = "TOOL" ServerPid = 20265 RemoteVersion =
"$CondorVersion: 6.9.4 Aug 30 2007 $" User =
"skoranda@xxxxxxxxxxxxxxxxxxxxxxx" Sid =
"ldg-portal:20251:1190746878:0" ValidCommands =
"60007,60011,1111,457,471" 9/25 14:01:18 (fd:13) (pid:20251)
DC_AUTHENTICATE: setting sock->decode() 9/25 14:01:18 (fd:13)
(pid:20251) DC_AUTHENTICATE: allowing an empty message for sock. 9/25
14:01:18 (fd:13) (pid:20251) DC_AUTHENTICATE: Success. 9/25 14:01:18

(fd:13) (pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu9/25 14:01:18 (fd:13) (pid:20251) IPVERIFY: hoststring:

ldg-portal.phys.uwm.edu 9/25 14:01:19 (fd:13) (pid:20251) IPVERIFY:
hoststring: ldg-portal.phys.uwm.edu 9/25 14:01:19 (fd:13) (pid:20251)
IPVERIFY: hoststring: ldg-portal.phys.uwm.edu 9/25 14:01:20 (fd:13)
(pid:20251) IPVERIFY: hoststring: ldg-portal.phys.uwm.edu 9/25
14:01:20 (fd:13) (pid:20251) IPVERIFY: hoststring:
ldg-portal.phys.uwm.edu 9/25 14:01:20 (fd:13) (pid:20251) DaemonCore:
PERMISSION DENIED to skoranda@xxxxxxxxxxxxxxxxxxxxxxx from host
<129.89.61.100:42079> for command 1111 (QMGMT_CMD) 9/25 14:01:20
(fd:13) (pid:20251) CLOSE <129.89.61.100:44342> fd=12

Why am I not authorized?

Thanks,

Scott _______________________________________________ Condor-users
mailing list To unsubscribe, send a message to
condor-users-request@xxxxxxxxxxx with a subject: Unsubscribe You can

also unsubscribe by visitinghttps://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:https://lists.cs.wisc.edu/archive/condor-users/



--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Todd Tannenbaum                       University of Wisconsin-Madison
Condor Project Research               Department of Computer Sciences
tannenba@xxxxxxxxxxx                  1210 W. Dayton St. Rm #4257
Phone: (608) 263-7132                 Madison, WI 53706-1685

Follow-Ups:
- Re: [Condor-users] GSI authentication succeeds but authorization fails
  - From: Scott Koranda

References:
- [Condor-users] GSI authentication succeeds but authorization fails
  - From: Scott Koranda

Prev by Date: Re: [Condor-users] GSI authentication succeeds but authorization fails
Next by Date: Re: [Condor-users] GSI authentication succeeds but authorization fails
Previous by thread: Re: [Condor-users] GSI authentication succeeds but authorization fails
Next by thread: Re: [Condor-users] GSI authentication succeeds but authorization fails
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [Condor-users] GSI authentication succeeds but authorization fails