Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job & (remote) DAG

Hi,

Yes I remember that one, but this is permission denied on the schedd for DAG jobs (only) not for plain jobs, for which condor_ssh_to_job works fine.

Both of these are running on the same worker, one is submitted by dagman, one is not:

[bejones@aiadm02 condor]$ condor_ssh_to_job 920.0
bejones is not authorized for access to the starter for job 920.0
[bejones@aiadm02 condor]$ condor_ssh_to_job 918.0
Welcome to slot1_1@xxxxxxxxxxxxxxxxxxxx!
Your condor job is running with pid(s) 3077955.
[bejones@b9jantest662 dir_3077930]$
logout
Connection to condor-job.b9jantest662.cern.ch closed.
[bejones@aiadm02 condor]$ condor_q 918.0 -af RemoteHost
slot1_1@xxxxxxxxxxxxxxxxxxxx
[bejones@aiadm02 condor]$ condor_q 920.0 -af RemoteHost

cheers,
ben

On 15 Jul 2025, at 15:38, Thomas Hartmann <thomas.hartmann@xxxxxxx> wrote:

Hi Ben,

IIRC there was an issue with condor_ssh_to_job with the ssh shell not getting correctly placed in the sub slice of the job.

Can you check, if the job, to which you have tried to ssh to, has in its cgroup dir a `sshd` subdir? E.g., like [1] for a ssh_to_job session

Cheers,
 Thomas

[1]
[atlasprd000@batch1515 ~]$ echo  /sys/fs/cgroup/$(cat /proc/$$/cgroup | cut -d ":" -f 3-)/
/sys/fs/cgroup//system.slice/condordesy.service/condorjob.slice/condor_var_lib_condor_execute_slot1_41@xxxxxxxxxxxxxxxxx/sshd/


On 15/07/2025 14.56, Ben Jones wrote:
Hi,
Since at least 24.0.7, we have a problem with condor_ssh_to_job to jobs that have been submitted via dag.
We get errors like this:
$ condor_ssh_to_job 915.0
bejones is not authorized for access to the starter for job 915.0
Our submissions are always remote, and from the log it seems as though the reason is because the permission check includes the method, ie:
(D_ALWAYS:2) OwnerCheck reject, 'bejones@xxxxxxx' not ad owner: 'bejones@fsauth' UID_DOMAIN=cern.ch <http://cern.ch>
Is there some config to fix this?
cheers,
Ben
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/