Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

Hi Condor community,

 

I’m currently testing our pre-production HTCondor Pool on the latest HTCondor LTS version of 24.0.2 and notice the logfile `/var/log/condor/MasterLog` on the Central Managers filling with the log:

 

01/02/25 16:13:30 SECMAN: FAILED: Received "DENIED" from server for user condor@password using method PASSWORD.

01/02/25 16:13:30 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@password using method PASSWORD.

01/02/25 16:13:30 Failed to start non-blocking update to <130.246.180.227:9618>.

01/02/25 16:13:35 Token requested not yet approved; please ask collector condor02.gridpp.rl.ac.uk admin to approve request ID 2571892.

01/02/25 16:13:40 Token requested not yet approved; please ask collector condor02.gridpp.rl.ac.uk admin to approve request ID 2571892.

01/02/25 16:13:45 Token requested not yet approved; please ask collector condor02.gridpp.rl.ac.uk admin to approve request ID 2571892.

01/02/25 16:13:50 Token requested not yet approved; please ask collector condor02.gridpp.rl.ac.uk admin to approve request ID 2571892.

 

My assumption is that the token statements (which are produced every 5 seconds) are a fallback from the failing PASSWORD authentication. I’ve upgraded this pool from Condor 10.0.9 where the setup worked perfectly without this issue. The difference I notice here is the user `condor@password` which seems new, I haven’t configured an `@password` domain and will fail the previously defined authorisation rules, please find my `SEC_` statements below to confirm this:

 

ALLOW_ADMINISTRATOR = root@xxxxxxxxxxxxxxx/$(IP_ADDRESS), condor@xxxxxxxxxxxxxxx/$(IP_ADDRESS), $(CMS)

ALLOW_CONFIG = root@$(FULL_HOSTNAME)

ALLOW_DAEMON = condor@xxxxxxxxxxxxxxx/*, condor@xxxxxxxxxxxxxxx/$(IP_ADDRESS)

ALLOW_NEGOTIATOR = condor@$(UID_DOMAIN)/$(CONDOR_HOST), condor@$(UID_DOMAIN)/$(IP_ADDRESS)

ALLOW_OWNER = root@xxxxxxxxxxxxxxx/$(IP_ADDRESS), condor@xxxxxxxxxxxxxxx/$(IP_ADDRESS)

ALLOW_READ = */*.gridpp.rl.ac.uk, */*.nubes.stfc.ac.uk

CES = condor@xxxxxxxxxxxxxxx/arc-ce-test01.gridpp.rl.ac.uk,condor@xxxxxxxxxxxxxxx/arc-ce-test02.gridpp.rl.ac.uk

CMS = condor@xxxxxxxxxxxxxxx/condor01.gridpp.rl.ac.uk,condor@xxxxxxxxxxxxxxx/condor02.gridpp.rl.ac.uk

COLLECTOR.ALLOW_ADVERTISE_MASTER = $(CES), $(CMS), $(WNS)

COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(CES)

COLLECTOR.ALLOW_ADVERTISE_STARTD = $(WNS)

NEGOTIATOR.ALLOW_WRITE = $(CES), $(CMS)

SCHEDD.ALLOW_WRITE = $(USERS)

SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS, PASSWORD

SEC_CLIENT_AUTHENTICATION = REQUIRED

SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD

SEC_DAEMON_AUTHENTICATION = REQUIRED

SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

SEC_DAEMON_INTEGRITY = REQUIRED

SEC_DEFAULT_AUTHENTICATION = REQUIRED

SEC_DEFAULT_AUTHENTICATION_METHODS = FS, PASSWORD

SEC_DEFAULT_ENCRYPTION = REQUIRED

SEC_DEFAULT_INTEGRITY = REQUIRED

SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED

SEC_NEGOTIATOR_AUTHENTICATION_METHODS = FS, PASSWORD

SEC_NEGOTIATOR_INTEGRITY = REQUIRED

SEC_PASSWORD_FILE = /etc/condor/pool_password

SEC_READ_AUTHENTICATION = OPTIONAL

SEC_READ_AUTHENTICATION_METHODS = FS, PASSWORD

SHADOW.ALLOW_WRITE = $(WNS), $(CES)

USERS = *@gridpp.rl.ac.uk

WNS = condor@xxxxxxxxxxxxxxx/xxx.xx.*,condor@xxxxxxxxxxxxxxx/xxx.xx.

 

I assumed the domain was derived from the `TRUST_DOMAIN` ClassAd which is set to `gridpp.rl.ac.uk`. Is this new format of `condor@password` expected?

 

Many thanks,

 

Thomas Birkett

Senior Systems Administrator

Scientific Computing Department  

Science and Technology Facilities Council (STFC)

Rutherford Appleton Laboratory, Chilton, Didcot 
OX11 0QX

 

signature_609518872