Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] GSI authentication succeeds but authorization fails
- Date: Tue, 25 Sep 2007 15:32:10 -0500
- From: Scott Koranda <skoranda@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] GSI authentication succeeds but authorization fails
> On Tue, Sep 25, 2007 at 02:49:34PM -0500, Scott Koranda wrote:
> > > >
> > > > Why am I not authorized?
> > >
> > > the log shows you are being mapped to skoranda@xxxxxxxxxxxxxxxxxxxxxxx while
> > > the allow list has:
> > > ALLOW_READ = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> > >
> > > basically, your authz rule is missing the 'ldg-portal' on the left hand side
> > > of the slash.
> > >
> > > i think you meant to write:
> > > ALLOW_READ = skoranda@xxxxxxxxxxxxxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> >
> > I don't understand.
> >
> > The manual indicates that the form is
> >
> > "Each macro is defined by a comma-separated list of fully
> > qualified users. Each fully qualified user is described using
> > the following format:
> >
> > username@domain/hostname
>
> true. in your case the 'domain' was ldg-portal.phys.uwm.edu, and not
> phys.uwm.edu.
>
> why? as todd pointed out, you didn't specify a domain in your map file,
> so condor by default will append the value of UID_DOMAIN.
>
> so, you could either change the mapping to specify the domain as you like
> it, or you can change the ALLOW list to accept the domain that condor is
> filling in by default. either way is acceptible.
>
>
Thanks. I got over the conceptual hurdle that I have to map my
cert DN to a Condor user ID and not a UNIX ID.
Next question: Do I have to also map the certificate that is
being used by the daemons to a Condor user ID in order for the
daemons to talk amongst themselves?
More specifically, do I have to map
"/DC=org/DC=doegrids/OU=Services/CN=ldg-portal.phys.uwm.edu" condor@xxxxxxxxxxxx
Recall that I have
SEC_DEFAULT_NEGOTIATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = GSI
GSI_DAEMON_CERT = /etc/grid-security/hostcert.pem
GSI_DAEMON_KEY = /etc/grid-security/hostkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_DAEMON_NAME = /DC=org/DC=doegrids/OU=Services/CN=ldg-portal.phys.uwm.edu
GRIDMAP = /etc/grid-security/grid-mapfile.condor
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_CRYPTO_METHODS = 3DES, BLOWFISH
And now I have added
## Only the condor user has administrator, config, and owner
## authorization
ALLOW_ADMINISTRATOR = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_CONFIG = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
ALLOW_OWNER = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
## Only the Condor user has negotiator authorization
ALLOW_NEGOTIATOR = condor@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
I ask because although I can run condor_status using my GSI
proxy credential, it returns empty and my submitted jobs are
not running (with START=True). So I suspect Condor is unhappy
at the daemon level.
Thanks,
Scott