Project

General

Profile

Bug #23372

default condor configuration for condor 8.8/ OSG 3.5 does not authenticate correctly

Added by Dennis Box about 2 months ago. Updated 12 days ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Target version:
Start date:
10/03/2019
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

I just did a test install of the 3.6 frontend and factory from the OSG 3.5 repo which uses condor 8.8.5. On startup, the condor daemons fail to authenticate amongst themselves on the same machine.

I tried upgrading condor to 8.9.3, and applying my 'known good' changes to the condor config. When I did this, everything works as expected.

I tried a fresh install with OSG 3.5, and applied my 'known good' 8.9 changes to the 8.8 configuration, but this did not fix authentication.

History

#1 Updated by Dennis Box about 2 months ago

This was added to the condor configuration files when I did the rpm install:

SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

To make authentication work again for 8.8.5, this setting

SEC_DEFAULT_AUTHENTICATION_METHODS = FS,GSI

needs to become this:
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,PASSWORD,GSI

#2 Updated by Marco Mambelli 24 days ago

  • Priority changed from Normal to Urgent

#3 Updated by Dennis Box 21 days ago

  • Assignee changed from Dennis Box to Marco Mambelli
  • Status changed from New to Feedback

OSG 3.5 condor configuration is identical to OSG 3.4, with the addition of a new file:
/etc/condor/config.d/00-osg_default_security.config
This file sets PASSWORD authentication as the default among other things.

When this file is removed and condor resarted, glideinwms begins to authenticate.

#4 Updated by Marco Mambelli 20 days ago

  • Assignee changed from Marco Mambelli to Dennis Box

If without that file all is OK like before,
then add instruction to remove/move that file and touch an empty file.

Send also an email to OSG (Brian Lin) to understand why that was added.
If OSG provided already an explanation, add it to this ticket.

Then the ticket can be resolved. Thanks

#5 Updated by Dennis Box 18 days ago

I found that 00_gwms_general.config could be altered so that it works 'out of the box' on both osg 34 and osg 35.

To do this, change line 31 from

SEC_DEFAULT_AUTHENTICATION_METHODS = FS,GSI

to

SEC_DEFAULT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS),FS,GSI

and add the following 2 lines to the file:

SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS)
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS)

#6 Updated by Marco Mambelli 12 days ago

  • Status changed from Feedback to Resolved

Changes are in v36/23372
Modified general and collector template to make sure that FS and GSI are in all sec_... (SEC_DEFAULT_AUTHENTICATION_METHODS, SEC_DAEMON_AUTHENTICATION_METHODS, SEC_NEGOTIATOR_AUTHENTICATION_METHODS which are modified by the OSG settings).



Also available in: Atom PDF