Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor-CE24.0.1 issues with SSL authentication

It looks like when we added the ability to consider VOMS attributes in the map file, we made it required to include them in the matching. This is different than the behavior we had for GSI, where we tried to match both with and without the VOMS attributes. If you donât need to consider VOMS attributes for any entries in the mapfile, you can set AUTH_SSL_USE_VOMS_IDENTITY=False in the config file.

For the second issue, everything is shows that both clients are using the same build of HTCondor 23.0.6. The htc-23-client.log collector log shows the client not providing a certificate, but the authorization succeeds anything.

Can you run the same condor_q, but add -debug:D_SECURITY:2, and send me the output? Also, verify whatâs different between the two condor_q instances.

 - Jaime

On Nov 8, 2024, at 12:20âPM, Alessandro Pascolini <alessandro.pascolini@xxxxxxxxxxxx> wrote:

Dear HTCondor experts,

at CNAF we are planning on upgrading our cluster to HTCondor[-CE] 24.0.1
We have already upgraded our testbed (Alma9) to the new version and the local submission does seem to go soothly.

We tested GRID submission tho the HTC-CE 24.0.1 from several clients, with both SCITOKENS and SSL as we support both of them at CNAF.
A couple of issues were found:

1. the SSL mapping doesn't seem to support DN-only mapping as it used to on HTC-CE23.X, but it requires at least a regex to accept all possible VOMS attributes:

SSL "<certificate_DN>" <username> --> doesn't work
SSL "<certificate_DN>,<ATTRIBUTE_1>,<ATTR_2>,...." <username> --> works
SSL /<certificate_DN>,.*/ <username> --> works


2. using a client with HTCondor23 we don't seem be able to authenticate to HTC-CE24:

$ condor_version
$CondorVersion: 23.0.6 2024-03-14 BuildID: 720565 PackageID: 23.0.6-1 $
$CondorPlatform: x86_64_CentOS7 $

$ condor_q

-- Failed to fetch ads from: <131.154.192.69:9619?addrs=131.154.192.69-9619+[2001-760-4205-192-216-3eff-fe00-1073]-9619&alias=ce01t-htc.cr.cnaf.infn.it&noUDP&sock=schedd_491355_0221> : ce01t-htc.cr.cnaf.infn.it
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL

with the same proxy and with HTCondor 24 client we can authenticate without any issues:

$ condor_version
$CondorVersion: 23.0.6 2024-03-14 BuildID: 720565 PackageID: 23.0.6-1 $
$CondorPlatform: x86_64_CentOS7 $

$ condor_q


-- Schedd: ce01t-htc.cr.cnaf.infn.it : <131.154.192.69:9619?... @ 11/08/24 18:39:26
OWNER        BATCH_NAME    SUBMITTED   DONE   RUN    IDLE   HOLD  TOTAL JOB_IDS
apascolinius ID: 1       11/7  17:12      _      _      _      1      1 1.0
..............................
..............................

Total for query: 5 jobs; 4 completed, 0 removed, 0 idle, 0 running, 1 held, 0 suspended
Total for apascolinius: 4 jobs; 4 completed, 0 removed, 0 idle, 0 running, 0 held, 0 suspended
Total for all users: 11 jobs; 7 completed, 0 removed, 1 idle, 0 running, 3 held, 0 suspended

I'm attaching the CollectorLog (COLLECTOR_DEBUG = D_SECURITY:2) of the HTC-CE 24.0.1 for the two client authentications.


The second issue is the main problem that blocks the upgrade, as we support some communities that have HTC client versions even older than 23.0.6 and it will not be easy to ask them to upgrade them to the 24.

Cheers,
Alessandro



<htc-23-client.log><htc-24-client.log><smime.p7s>