Bug 478475
| Summary: | RFE: Add new configuration parameters for proxy_userid and proxy_passwd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Sateesh Potturu <sateeshpnv> | ||||
| Component: | grid | Assignee: | William Henry <whenry> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Luigi Toscano <ltoscano> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 1.1 | CC: | iboverma, lbrindle, ltoscano, matt, rrati | ||||
| Target Milestone: | 1.2 | Keywords: | FutureFeature | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||
| Doc Text: |
Grid enhancement.
AMAZON_HTTP_PROXY now supports username and password in the URI. This allows condor to authenticate itself against the proxy, and ensures that EC2 jobs are correctly submitted.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-12-03 09:20:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 527551 | ||||||
| Attachments: |
|
||||||
This can be reproduced with a squid proxy with the following configuration: auth_param basic program /usr/lib64/squid/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 minutes auth_param basic casesensitive off acl pam proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src <local network> acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow pam http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 forwarded_for off coredump_dir /var/spool/squid And in condor_config.local, add: AMAZON_HTTP_PROXY = http://<squid proxy>:3128/ Tested using squid 3.0.STABLE18 from Fedora 10 with condor-7.4.0pre. The following errors appear in /tmp/AmazonGahpLog.<username>: 09/29 14:37:59 Using proxy server, host=localhost, port=3128 09/29 14:37:59 Using http proxy = http://localhost:3128/ 09/29 14:37:59 Call to DescribeInstances failed: SOAP 1.1 fault: SOAP-ENV:Server [no subcode] "HTTP/1.0 407 Proxy Authentication Required" Detail: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>ERROR: Cache Access Denied</title> <style type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></style> </head> <body> <h1>ERROR</h1> <h2>Cache Access Denied.</h2> <hr> <p 09/29 14:37:59 Command(AMAZON_VM_STATUS_ALL) got error(code:Server, msg:HTTP/1.0 407 Proxy Authentication Required Sample EC2 job: # Tell Condor to use EC2 universe = grid grid_resource = amazon # A name to show in condor_q, not the standard use of "executable" executable = test_ec2 transfer_executable = false amazon_public_key = <path>/<public key file> amazon_private_key = <path>/<private key file> amazon_ami_id = <AMI ID> amazon_keypair_file = /tmp/keypair.$(PROCESS) queue Fixed in: condor-7.4.0.0.6 Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: please see bug summary. AMAZON_HTTP_PROXY supports username and password in the URI, thus condor can authenticate itself against the proxy and EC2 jobs are correctly submitted. Tested on RHEL 5.4, i386/x86_64: condor-7.4.1-0.4 condor-ec2-enhanced-hooks-1.0-19 condor-job-hooks-1.0-13 python-condor-ec2-enhanced-hooks-common-1.0-19 python-condor-job-hooks-common-1.0-13 Changing the status to VERIFIED. Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,3 @@ -please see bug summary.+Grid enhancement. + +AMAZON_HTTP_PROXY now supports username and password in the URI. This allows condor to authenticate itself against the proxy, and ensures that EC2 jobs are correctly submitted. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1633.html |
Created attachment 327974 [details] test code changes to condor_amazon to set proxy_userid and proxy_passwd to gSOAP Description of problem: Proxy support of condor_amazon does not have proxy_userid and proxy_passwd; though underlying gSOAP does have these parameters. Due to this limitation, a lot of enterprises that allow only authenticated users to access internet via proxy cannot use condor_amazon. Version-Release number of selected component (if applicable): Condor 7.2.0 How reproducible: Always, if used from behind a proxy that requires user credentials Steps to Reproduce: 1. Use from behind a proxy that requires user name and password 2. condor_submit a grid universe, amazon grid_resource job 3. Observe contents of /tmp/AmazonGahpLog.<username> Actual results: When used from behind a proxy that requires user credentials, condor cannot start VM's in Amazon EC2 Expected results: When used from behind a proxy that requires user credentials, condor should be able to start VM's in Amazon EC2. For this purpose, condor should allow the following format AMAZON_HTTP_PROXY; similar to that of http_proxy shell variables -- http[s]://[<username>:<password>]@{<host>}:[<port>][/]. Accordingly userid and passwd should be extracted and passed to gSOAP. Additional info: Attached diff file is a test code (with no negative testing and no configuration parameters) to illustrate code changes required (excluding those for accepting new configuration parameters in condor_config.