Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_drain authorization (Resolved)

It was working the central manager and not working on the execute node.

Iâd sent the ALLOW_ADMIINSTRATOR only on the central manager. I just set in on the execute node and  condor_drain works no.w

Thanks for the help.

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of John M Knoeller via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Date: Wednesday, April 16, 2025 at 10:42âAM
To: HTCondor Users <htcondor-users@xxxxxxxxxxx>
Cc: John M Knoeller <johnkn@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] condor_drain authorization

Does ALLOW_ADMINISTRATOR have ltscondor@ânmrbox.âorg/* in the configuration of all HTCondor nodes? or just on the central manager? From the way you worded this, I'm assuming you are running a condor_drain command as root. Are you running that

ZjQcmQRYFpfptBannerStart

*** Attention: This is an external email. ***

Use caution responding, opening attachments or clicking on links.

 

ZjQcmQRYFpfptBannerEnd

Does ALLOW_ADMINISTRATOR have ltscondor@xxxxxxxxxx/* 

in the configuration of all HTCondor nodes? or just on the central manager?

 

From the way you worded this, I'm assuming you are running a condor_drain command as root.  Are you running that command from the central manager? or are you logged in to the host you are trying to drain?

 

If you are on the central manager,  then the condor_drain command should be authenticating to the COLLECTOR and getting a capability for adminstering the STARTD from the COLLECTOR,  then sending the drain command using that capability. 

 

If you run the drain command from the execute node, then the command will most likely be unable to authenticate to the COLLECTOR as an administrator,  so it will just get the address of the STARTD from the collector,  then authenticate to the STARTD using some other method,  most likely this will be FS, in which case root will authenticate as the condor user,  which in your case ltscondor@xxxxxxxxxx

and the STARTD will look in its ALLOW_ADMINSITRATOR list to see if that identity is allowed to send admin commands. 

 

-tj

 

From: HTCondor-users on behalf of Weatherby,Gerard
Sent: Tuesday, April 15, 2025 5:12 PM
To: HTCondor Users
Subject: [HTCondor-users] condor_drain authorization

 

We are running a cluster with the âcondorâ account being named âltscondorâ with uid = 29000.
CONDOR_IDS=29000.29000 is in our configuration.

The central manager setting is
condor_config_val ALLOW_ADMINISTRATOR

condor@*,condor@password,root@*,ltscondor@xxxxxxxxxx/*


trying to do a drain job as root on an execute node is generating this error in the /var/log/condor/StartLog:

04/15/25 11:25:22 PERMISSION DENIED to ltscondor@xxxxxxxxxx from host 155.37.253.155 for command 512 (DRAIN_JOBS), access level ADMINISTRATOR: reason: ADMINISTRATOR authorization policy contains no matching ALLOW entry for this request; identifiers used for this host: 155.37.253.155,zirconium.nmrbox.org, hostname size = 1, original ip address = 155.37.253.155

How do I make this work?