Global Pool resources need to authenticate with the local condor collector. This will require GSI authentication, so please make sure you have the following on your condor system available:
- A grid-mapfile and CA certificates updated.
- Optional: A condor_mapfile if only specific user DNs want to be allowed (rather than any user with VO CMS proxy certificates).
grid-mapfile and CA certificates
- If you don't have a grid-mapfile (usually in: /etc/grid-security/grid-mapfile), please follow these instructions in order to enable a grid-mapfile of VOs in your system.
- If you don't have CA certificates (usually in: /etc/grid-security/certificates), please follow this guide.
- Note: If your host has CVMFS available you can also use the CA certificates from there. More details on the condor configuration.
This is used by condor to allow the authentication of specific DNs. Create this if you would like to restrict the authentication to a certain group of users only.
These Distinguished Names (DN) can be obtained as followed:
Please, backslack special characters like spaces, =, /, etc.
Note: If no condor_mapfile is created, the whole grid-mapfile will be used for the authentication table. Then e.g any CMS user mapped to uscms01 can be allowed. This is the default authentication procedure when no condor_mapfile is created.
We will need to specify that condor daemons will require GSI authentication.