Re: [HTCondor-users] Inconsistency in authorizations for condor_userprio

[Bert DeKnuydt <Bert.DeKnuydt@xxxxxxxxxxxxxxxx>]

John M Knoeller skrev den 06-01-2022 21:02:
> Hi Bert,
>
>  It seems you are running up against some experimental code to give
> (as you guessed) fine grained control to some users  so they can set
> the prio factor of groups that they own.
>
>  You should notâ be hitting this error message if you have
> ADMINISTRATOR access to the NEGOTIATOR.   HTCondor 9.0 has the same
> experimental code, so it is unexpected that one version works but the
> other does not.  The real problem is likely some other change to the
> config or to the HTCondor auth code.

Hi TJ,

You are correct: I checked all 9.0.0 to 9.0.8 and they behave identical.

It is indeed related with auth stuff (after a config change of mine)

When I change, on the client

SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, FS, PASSWORD, FS_REMOTE

to

SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD, FS_REMOTE

The all is working again.

So summarized: IDTOKENS auth-code passes through this undocumented/
not-yet-documented feature NEGOTIATOR_CLASSAD_USER_MAP_NAMES, and
the default 'nothing configured' seems wrong.

>  We are looking into this and will post an update when we figure out
> what is going wrong and/or find a workaround for you.

So just putting FS before IDTOKENS on the node where I want to modify
the prio factors seems enough.

Thanks!

Bert.