ckpt

2015-03-28 07:59:20 -07:00 · 2015-03-28 07:59:20 -07:00 · d2d02a1642
--- a/opal/mca/sec/base/sec_base_stubs.c
+++ b/opal/mca/sec/base/sec_base_stubs.c
@ -21,21 +21,28 @@
 int opal_sec_base_get_cred(char *method,
                           int dstorehandle,
                           opal_process_name_t *my_id,
-                           opal_sec_cred_t **cred)
+                           char **payload, size_t *size)
 {
    opal_sec_handle_t *hdl;
-
+    opal_sec_cred_t cred;
+    opal_buffer_t buf;
+    
    opal_output_verbose(5, opal_sec_base_framework.framework_output,
                        "Requesting credential from source %s",
                        (NULL == method) ? "ANY" : method);
-    
+
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
    OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
        if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {
            continue;
        }
-        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, cred)) {
+        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, &cred)) {
            opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                "Created credential from source %s", hdl->component->mca_component_name);
+            /* pack the credential */
+            if (OPAL_SUCCESS != opal_dss.pack(&buf, &cred, 1, OPAL_SEC_CRED)) {
+                
+            }
            /* record the source */
            (*cred)->method = strdup(hdl->component->mca_component_name);
            return OPAL_SUCCESS;
@ -45,24 +52,41 @@ int opal_sec_base_get_cred(char *method,
 }


-int opal_sec_base_validate(opal_sec_cred_t *cred)
+int opal_sec_base_validate(char *payload, size_t size)
 {
    opal_sec_handle_t *hdl;
-
+    opal_buffer_t buf;
+    int cnt;
+    opal_sec_cred_t *cred;
+    
    opal_output_verbose(5, opal_sec_base_framework.framework_output,
                        "Received credential %s from source %s",
                        (NULL == cred->credential) ? "NULL" : cred->credential,
                        (NULL == cred->method) ? "NULL" : cred->method);
    
-    OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
-        if (NULL != cred->method &&
-            0 != strcmp(cred->method, hdl->component->mca_component_name)) {
-            continue;
-        }
-        if (OPAL_SUCCESS == hdl->module->authenticate(cred)) {
-            return OPAL_SUCCESS;
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
+    buf.base_ptr = payload;
+    buf.bytes_used = size;
+    
+    cnt = 1;
+    while (OPAL_SUCCESS == opal_dss.unpack(&buf, &cred, &cnt, OPAL_SEC_CRED)) {
+        OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
+            if (NULL != cred->method &&
+                0 != strcmp(cred->method, hdl->component->mca_component_name)) {
+                OBJ_RELEASE(cred);
+                continue;
+            }
+            if (OPAL_SUCCESS == hdl->module->authenticate(cred)) {
+                OBJ_RELEASE(cred);
+                buf.base_ptr = NULL;
+                OBJ_DESTRUCT(&buf);
+                return OPAL_SUCCESS;
+            }
        }
+        cnt = 1;
    }
+    buf.base_ptr = NULL;
+    OBJ_DESTRUCT(&buf);
    return OPAL_ERROR;
 }

--- a/orte/mca/oob/tcp/help-oob-tcp.txt
+++ b/orte/mca/oob/tcp/help-oob-tcp.txt
@ -10,7 +10,7 @@
 #                         University of Stuttgart.  All rights reserved.
 # Copyright (c) 2004-2005 The Regents of the University of California.
 #                         All rights reserved.
-# Copyright (c) 2014      Intel, Inc. All rights reserved.
+# Copyright (c) 2014-2015 Intel, Inc. All rights reserved.
 # $COPYRIGHT$
 # 
 # Additional copyrights may follow
@ -64,3 +64,16 @@ value will be ignored.
  Local host: %s
  Value:      %s
  Message:    %s
+#
+[authent-fail]
+An attempt was made to make a TCP connection between two hosts:
+
+  Initiating host:  %s
+  Receiving host:   %s
+
+Unfortunately, the connection was refused due to a failure to
+authenticate. This is usually caused by a mis-match between
+the security domains of the two hosts - e.g., one might be
+using Munge while the other is not. This can typically be
+resolved by specifying the desired security method. For
+example, adding "--mca sec basic" to your command line.
--- a/orte/mca/oob/tcp/oob_tcp_connection.c
+++ b/orte/mca/oob/tcp/oob_tcp_connection.c
@ -803,7 +803,11 @@ int mca_oob_tcp_peer_recv_connect_ack(mca_oob_tcp_peer_t* pr,
    creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1);
    creds.size = hdr.nbytes - strlen(version) - 1 - strlen(creds.method) - 1;
    if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
-        ORTE_ERROR_LOG(rc);
+        char *hostname;
+        hostname = orte_get_proc_hostname(&peer->name);
+        orte_show_help("help-oob-tcp.txt", "authent-fail", true,
+                       orte_process_info.nodename,
+                       (NULL == hostname) ? "unknown" : hostname);
        free(msg);
        return ORTE_ERR_CONNECTION_REFUSED;
    }