Re: [HTCondor-users] HTCondor - condor_store_cred fails to store credentials of dedicated account on Windows in 8.6 series

[Jaime Frey <jfrey@xxxxxxxxxxx>]

On Jul 14, 2017, at 3:56 AM, Felix Wolfheimer <f.wolfheimer@xxxxxxxxxxxxxx> wrote:

I'm using a setup of HTCondor on Windows which executes jobs using a dedicated user account (SLOT_USER). I can't use the standard "transient" accounts as the user account used for the jobs needs special privileges which I configured for the dedicated account.

I used to register the dedicated account credentials on execution machines using condor_store_cred. This worked fine in Condor version 8.4.x and earlier.

When switching from HTCondor version 8.4.7 to 8.6.4 the setup stopped working though and the condor_store_cred failed to store the credentials of the dedicated account and printed its standard error message:

"Operation failed. Make sure your ALLOW_WRITE setting includes this host."

Digging through the source I found a part which was introduced in the 8.6 series as it seems:

condor-8.6.4/src/condor_utils/store_cred.cpp (line 725): // We don't allow one user to set another user's credential

The code part which follows leads to the failure. As I install condor using my own account which has administrative permissions and register the credentials of the execution account during the installation process, I'm trying to register the credentials of an account I'm not logged in with. I'm curious whether there's a workaround/best practice for such a setup available. For now I have removed the restriction from store_cred.cpp for my setup and recompiled HTCondor but this is not an optimal solution of course.

Additional comment: condor_store_cred seems to know only a single error message: "Operation failed. Make sure your ALLOW_WRITE setting includes this host." . It writes this message no matter for what reason an operation fails. This is a bit misleading for a user/admin, as this message guides often in a wrong direction. I had to switch on all debugging (D_ALL) to see a message in the logs saying that the user account was rejected. Then had to parse the condor source code to find the comment listed above indicating that the operation as such is not allowed. I'd like to suggest, that condor_store_cred writes an error message indicating that the operation is not permitted, plus add this information to the HTCondor documentation (preferable with a best practice how to register a dedicated account when installing HTCondor with a different (admin) account).   

condor_store_cred in 8.4 was too lax in who could store passwords. We tightened it up in 8.6 so that you have to run the command from the account whose password you want to store. For regular user accounts, this seemed like a reasonable restriction. If youâre setting up dedicated execute accounts on each machine, I can see how it may be burdensome to have to log into each account to run the condor_store_cred command. We should consider adding an option to allow administrators to store passwords for other accounts. And weâll improve the error message and documentation.

Thanks and regards,

Jaime Frey

UW-Madison HTCondor Project