Versions Compared

Old Version 443

changes.mady.by.user K Scott Rowe

Saved on

compared with

New Version 444

changes.mady.by.user K Scott Rowe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Also, with the RPM install, ALLOW_WRITE = * which seems inherantly insecure.  Does this even matter when use security:recommended_v9_0


idtokens

On just the CM

openssl rand -base64 32 | condor_store_cred add -c -f /etc/condor/passwords.d/POOL
condor_token_create -identity condor@testpost-cm.aoc.nrao.edu > /etc/condor/tokens.d/condor@testpost-cm.aoc.nrao.edu
echo 'SEC_TOKEN_POOL_SIGNING_KEY_FILE = /etc/condor/passwords.d/POOL' >> /etc/condor/config.d/99-nrao
systemctl restart condor

 then switch to use security:recommended_v9_0 in 00-htcondor-9.0.config

On all other nodes

scp testpost-cm:/etc/condor/passwords.d/POOL /etc/condor/passwords.d
scp testpost-cm:/etc/condor/tokens.d/condor\@testpost-cm.aoc.nrao.edu /etc/condor/tokens.d
echo 'SEC_TOKEN_POOL_SIGNING_KEY_FILE = /etc/condor/passwords.d/POOL' >> /etc/condor/config.d/99-nrao
systemctl restart condor

  then switch to use security:recommended_v9_0 in 00-htcondor-9.0.config

But then things like condor_off don't work (a.k.a. pool signing key): where does it need to live?  Only on the CM?  On all nodes?  Other?tokens: Can I create a "system" token to allow me as root to use things like condor_off from the CM?

testpost-cm-vml root >condor_off -name testpost002
ERROR
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL
AUTHENTICATE:1004:Failed to authenticate using SCITOKENS
AUTHENTICATE:1004:Failed to authenticate using GSI
GSI:5003:Failed to authenticate. Globus is reporting error (851968:50). There is probably a problem with your credentials. (Did you run grid-proxy-init?)
AUTHENTICATE:1004:Failed to authenticate using KERBEROS
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
AUTHENTICATE:1004:Failed to authenticate using FS
Can't send Kill-All-Daemons command to master testpost002.aoc.nrao.edu

condor_ping

condor_ping: how can I use this to test authentication between an execution host and a submit host or a central manager?  I can't seem to get condor_ping to connect to a startd and produce anything other than FAIL.

...