Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Does ALLOW_ADMINISTRATOR have
ltscondor@xxxxxxxxxx/*
in the configuration of all HTCondor nodes? or just on the central manager?
>From the way you worded this, I'm assuming you are running a condor_drain command as root. Are you running that command from the central manager? or are you logged in to the host you are trying to drain?
If you are on the central manager, then the condor_drain command should be authenticating to the COLLECTOR and getting a capability for adminstering the STARTD from the COLLECTOR, then sending the drain command using that capability.
If you run the drain command from the execute node, then the command will most likely be unable to authenticate to the COLLECTOR as an administrator, so it will just get the address of the STARTD from the collector, then authenticate to the STARTD using some
other method, most likely this will be FS, in which case root will authenticate as the condor user, which in your case
ltscondor@xxxxxxxxxx,
and the STARTD will look in its ALLOW_ADMINSITRATOR list to see if that identity is allowed to send admin commands.
-tj
From: HTCondor-users on behalf of Weatherby,Gerard
Sent: Tuesday, April 15, 2025 5:12 PM To: HTCondor Users Subject: [HTCondor-users] condor_drain authorization We are running a cluster with the “condor” account being named “ltscondor” with uid = 29000. condor@*,condor@password,root@*,ltscondor@xxxxxxxxxx/*
|