Unauthorized request (15007)

nonno · January 10, 2021, 9:35am

I inherited an installation of pbs, version 20.0.1 (as reported by qstat --version) and I would like to make it possible for other users to submit jobs. Originally there were three users included in the acl_users lists and these users can still submit jobs. I add two other users to the acl_users_lists and they are correctly
included in the output of the command
qmgr -c “list queue workq acl_users” (see attached screenshot)

They are the users pbs-sb001897 and sb001897
But when I try to submit a job as one of them, I get the error message Unauthorized request.
I also turned off acl_user_enable for that queue (see same screenshot).
Finally I turned-off and restart pbs (/etc/init.d/pbs [stop/restart])
But despite all this attempts I still get the error Unauthorized request.
Is there anything else I can try?
Thanks in advance for any help,
Massimo

adarsh · January 12, 2021, 8:29am

Please share the output of this command qmgr -c “print server” and also the server logs (tail -f in a another terminal) when you try to submit as one of the newly added acl user.

nonno · January 12, 2021, 9:14am

Thanks! I realized reading your answer that I had to add acl_users also to the server
(I did it for the queue but, obviously, it was not enough). Is it possible to add as PBS users also
those who are authenticated using Active Directory?
From the Linux viewpoint they appear as users with very high UID. UID like 50878681 instead of 1004, …
Thanks again!
Massimo

adarsh · January 12, 2021, 10:41am

Any user (Linux or ldap or active directory) who can successfully login (via ssh) with his username on the PBS server and Compute nodes, they can submit jobs to PBS Pro. There is no additional step to add users to PBS Pro.

nonno · January 12, 2021, 11:10am

Thanks, the user in the Active Directory can run “qstat” (he could before I added int server acl_users) but
when he runs qsub he got “Unauthorized request” even for interactive mode (qsub -I).
Thanks again,
Massimo

adarsh · January 12, 2021, 11:27am

What is the corresponding PBS Server log tell you , when you run qsub -I as that user,? please check that ? . Please share the output of qmgr -c “print server” run as root user .

nonno · January 12, 2021, 2:59pm

Thanks, please find below the output of the qmgr -c “print server” command and a screenshot
of the server_log when there is the Unauthorized request error

Thanks again!
Massimo

Create resources and set their properties.

Create and define resource ngpus

create resource ngpus
set resource ngpus type = long
set resource ngpus flag = hn

Create queues and set their attributes.

Create and define queue workq

create queue workq
set queue workq queue_type = Execution
set queue workq acl_user_enable = True
set queue workq acl_users = pbs-00097972@*
set queue workq acl_users += pbs-00650614@*
set queue workq acl_users += pbs-04809349@*
set queue workq acl_users += pbs-sb001897@*
set queue workq acl_users += sb001897@*
set queue workq acl_group_enable = False
set queue workq enabled = True
set queue workq started = True

Set server attributes.

set server scheduling = True
set server acl_user_enable = True
set server acl_users = pbs-00097972@*
set server acl_users += pbs-00650614@*
set server acl_users += pbs-04809349@*
set server acl_users += pbs-sb001897@*
set server acl_users += sb001897@*
set server acl_roots = pbs-00097972@*
set server acl_roots += pbs-00650614@*
set server acl_roots += pbs-04809349@*
set server operators = pbs-00097972@*
set server operators += pbs-00650614@*
set server operators += pbs-04809349@*
set server default_queue = workq
set server log_events = 511
set server mail_from = adm
set server query_other_jobs = True
set server resources_default.ncpus = 1
set server default_chunk.ncpus = 1
set server scheduler_iteration = 600
set server flatuid = True
set server resv_enable = True
set server node_fail_requeue = 310
set server max_array_size = 10000
set server pbs_license_min = 0
set server pbs_license_max = 2147483647
set server pbs_license_linger_time = 31536000
set server eligible_time_enable = False
set server max_concurrent_provision = 5
set server max_job_sequence_id = 9999999

adarsh · January 13, 2021, 9:58am

Thank you Massimo for sharing this information.
You have acl_users set at server level and queue level.
Would it be possible to move this to QUEUE level only and unset it from the server level.

Might be worth a try adding the user@FQDN to the acl_users
qmgr -c “set queue workq acl_users += sb001897@rmusc.rm.unicatt.it@pc01.fpg.local”
I am not sure why your username@fqdn is as above.

nonno · January 13, 2021, 4:57pm

Thanks you for the guidance. I tried to add the user with the FQDN, that is
sb001897@rmusc.rm.unicatt.it@hpc01.fpg.local
but it did not change the situation. Then I tried to turn-off completely the acl both at queue and at server level (acl_users_enable=false). At every change I stopped and restarted pbs but the situation did not change. What puzzles me more is that the same user can run qstat but for any qsub request there is an error. With the acl turned off, qsub -I returns “Invalid request” whereas qsub testjob returns “Unauthorized request”. The script testjob works fine for a local (non Active Directory) user. May the problem be related to the pbsdata group? Why qstat works and qsub does not?
Thanks again!
Massimo

adarsh · January 14, 2021, 11:15am

I think (not sure or might be wrong) it is related to the user name and domain , you can see there are two “@”

i think better to flush out all the acl_enable and acl_users settings and try with AD and local users, to see whether it makes any difference.

Try setting qmgr: set server flatuid = true

Thank you and hope this helps