Global Pool resources need to authenticate with the local condor collector. This will require GSI authentication, so please make sure you have the following on your condor system available:
- A grid-mapfile and CA certificates updated.
- Optional: A condor_mapfile if only specific user DNs want to be allowed (rather than any user with VO CMS proxy certificates).
grid-mapfile and CA certificates
- If you don't have a grid-mapfile (usually in: /etc/grid-security/grid-mapfile), please follow these instructions in order to enable a grid-mapfile of VOs in your system.
- If you don't have CA certificates (usually in: /etc/grid-security/certificates), please follow this guide.
- Note: If your host has CVMFS available you can also use the CA certificates from there. More details on the condor configuration.
This is used by condor to allow the authentication of specific DNs. Create this if you would like to restrict the authentication to a certain group of users only.
These Distinguished Names (DN) can be obtained as followed:
$ voms-proxy-info -identity
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=khurtado/CN=764581/CN=Kenyi Paolo Hurtado Anampa
Please, backslack special characters like spaces, =, /, etc.
GSI "^\/DC\=ch\/DC\=cern\/OU\=Organic\ Units\/OU\=Users\/CN\=khurtado\/CN\=764581\/CN\=Kenyi\ Paolo\ Hurtado\ Anampa" uscms01
GSI (.*) anonymous
FS (.*) \1
Note: If no condor_mapfile is created, the whole grid-mapfile will be used for the authentication table. Then e.g any CMS user mapped to uscms01 can be allowed. This is the default authentication procedure when no condor_mapfile is created.
# GSS_ASSIT_GRIDMAP will
# map users from grid-mapfile
GSI (.*) GSS_ASSIST_GRIDMAP
FS (.*) \1
FS_REMOTE (.*) \1
SSL (.*) ssl@unmapped
KERBEROS ([^/]*)/?[^@]*@(.*) \1@\2
NTSSPI (.*) \1
CLAIMTOBE (.*) \1
PASSWORD (.*) \1
We will need to specify that condor daemons will require GSI authentication.
## Add this to your condor configuration.
# This is to authenticate CMS proxies or specific DNs with the collector
# Specify CA directory
GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
# Use this if you have CVMFS available and would like to use the certificates from OASIS instead.
# GSI_DAEMON_TRUSTED_CA_DIR = /cvmfs/oasis.opensciencegrid.org/mis/osg-wn-client/3.3/current/el6-x86_64/etc/grid-security/certificates
# Specify your grid-mapfile location
GRIDMAP = /etc/grid-security/grid-mapfile
# If you plan to use condor_mapfile, specify the location here
CERTIFICATE_MAPFILE = /etc/grid-security/condor_mapfile
# Allow GSI authentication for condor daemons
SEC_DAEMON_AUTHENTICATION_METHODS = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = GSI, FS, CLAIMTOBE
# Allow users with CMS proxies
ALLOW_DAEMON = $(ALLOW_DAEMON), uscms01@$(UID_DOMAIN)/*