Re: [HTCondor-users] No other user than root can locate the Collector or the Negotiator through the Python bindings

[Jason Patton <jpatton@xxxxxxxxxxx>]

HiÂGaetan,

For allowing the read of ads on the collector, on the central manager, the settings of interest would be:

SEC_READ_AUTHENTICATION / _ENCRYPTION / _INTEGRITY (which will fall back to SEC_DEFAULT_* if not set)

If any of these are set to REQUIRED, then authentication must happen (even if AUTHENTICATION is OPTIONAL or PREFERRED, though authentication can be anonymous if SSL is used).

Similarly, the list of authentication methods in SEC_READ_AUTHENTICATION_METHODS will be used, which will fall back to SEC_DEFAULT_AUTHENTICATION_METHODS if not set.

Finally, ALLOW_READ says who can read ads from the collector, usually ALLOW_READ = * is fine unless you have something to hide.

On the client-side (even if on the same machine as the central manager), SEC_CLIENT_AUTHENTICATION / _ENCRYPTION / _INTEGRITY and SEC_CLIENT_AUTHENTICATION_METHODS follow the same rules as above.

This should at least help solve the reading of the machine ads to get the pool status and resolve the "Unable to locate local daemon" error for talking with the negotiator. For updating priorities on the negotiator, though, that requires ADMINISTRATOR level privileges, so then you would also need to set ALLOW_ADMINISTRATOR appropriately on the central manager. You should really use authentication for this... for example, if this script is running from the same machine as the central manager under a restricted service account (for example, "scriptuser"), you should be able to use FS authentication and add the user to the ALLOW_ADMINISTRATOR list:

ALLOW_ADMINISTRATOR = $(ALLOW_ADMINISTRATOR) scriptuser@fs

Jason

On Fri, Mar 24, 2023 at 12:04âPM Gaetan Geffroy <gage@xxxxxxxxx> wrote:

Hi,

Â

I have a Python program which does three HTCondor operations: query the Collector (to get the list of worker nodes and their status), query the negotiator (to update some priorities) and submit jobs.

The program can query the two daemons just fine when launched using the root user, but of course the job submissions het rejected.

When ran with another user (eg submituser), I get an âhtcondor.HTCondorLocateError: Unable to locate local daemonâ from the negotiator and âhtcondor.HTCondorIOError: Failed communication with collector.â From the collector.

Â

I tried to change the security config file on the central manager, like ALLOW_ADMINSTRATOR = *, ALLOW_NEGOTIATOR=*, ALLOW_DAEMON=*, SEC_DEFAULT_AUTHENTICATION_METHODS=FS, CLAIMTOBE, SEC_NEGOTIATOR_AUTHENTICATION_METHODS=FS, CLAIMTOBE and SEC_DAEMON_AUTHENTICATION_METHDODS= FS, CLAIMTOBE, but nothing works.

Â

I also donât see in any other config file any mention Âof the root user, so I donât understand why he is authorized and not the others.

Â

What other knobs am I missing that might resolve the issues ?

Â

Thanks,

Â

GaÃtan

Â

Â

PS: I know the beforementioned settings are bad security wise, they are not meant to be permanent or deployed anywhere other than my little test pool, I just want to find the correct macro to configure.

Â

Gaetan Geffroy
Junior Software Engineer,ÂSpace

Terma GmbH
Europaarkaden II, BratustraÃe 7, 64293 Darmstadt, Germany
TÂ+49 6151 86005 43Â(direct)ÂÂâÂÂTÂ+49 6151 86005-0
Terma GmbHÂ-ÂSitz DarmstadtÂÂâÂÂHandelsregisterÂNr.:ÂHRBÂ7411,ÂDarmstadt
GeschÃftsfÃhrer:ÂPoul VighÂ/ÂSteen Vejby SÃrensen
www.terma.comÂâÂLinkedin â Twitter â Instagram â Youtube

---

Attention:
This e-mail (and attachment(s), if any) - intended for the addressee(s) only - may contain confidential, copyright, or legally privileged information or material, and no one else is authorized to read, print, store, copy, forward, or otherwise use or disclose any part of its contents or attachment(s) in any form. If you have received this e-mail in error, please notify me by telephone or return e-mail, and delete this e-mail and attachment(s). Thank you.

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/