Todd
Copying the file from tokens.d worked like a charm. Thanks a bunch
P
From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Sent: Monday, April 24, 2023 11:33 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Peter Ellevseth <Peter.Ellevseth@xxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication using IDTokens
On 4/24/2023 4:56 AM, Peter Ellevseth wrote:
Hi all
Struggling with IDTokens. I have a new execute machine to add to my cluster. The new machine is not able to authenticate properly. The only config I have on it is a fil in config.d with CONDOR_HOST = … and ‘use rolef:get_htcondor_execute’
I already have another machine in my pool with the same config, which is working just fine. All config seems to be identical between the two, but still no authentication. The only difference I have seen is that the new machine is version
10.4 and the old is 10.3. My host is 10.4.
On the MasterLog of the new machine I keep seeing:
04/24/23 11:53:32 Token requested not yet approved; please ask collector [HOST] admin to approve request ID 4256417.
I can the go to my host and approve this, but that only generates another question with a new ID.
I tried using the auto_approve on my HOST, but then I only get this messages instead:
04/24/23 11:09:43 PERMISSION DENIED to condor@[new execute machine] from host xxx for command 13 (INVALIDATE_STARTD_ADS), access level ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first case for the full reason
Any ideas?
Hi Peter,
Thank you for sending along the HTCondor version info; sending along your operating system would also help (Windows? Linux distro? Mac?). I will guess you are using Linux.
On the Execute Point (EP, i.e. the execute machine) where everything works, run the following command as user root:
# condor_token_list
and compare that to the output of condor_token_list as root in the new EP machine that does not work.
Perhaps the working machine has a valid token file sitting in /etc/condor/tokens.d, and the non-working machine does not? Depending on how you set things up, you could copy the token file from your working EP to your non-working EP. Be careful to keep the
file ownership and permissions the same.
If have setup your pool using get_htcondor (recommended - it deals with all the security config), you should be able to add a new EP by just running get_htcondor on the EP and giving it the same password you used when setting up your pool initially. See the
Admin Quick Start at:
https://htcondor.readthedocs.io/en/latest/getting-htcondor/admin-quick-start.html
Finally, if you wish to see a 20min tutorial on IDTOKENS (including how to use them to secure your pool) recorded from HTCondor Week 2022, see:
https://www.youtube.com/watch?v=8fh6SLavDi8
Hope the above helps,
Todd