ckpt

opal/mca/sec/base/sec_base_stubs.c

@@ -21,21 +21,28 @@
 int opal_sec_base_get_cred(char *method,
                            int dstorehandle,
                            opal_process_name_t *my_id,
-                           opal_sec_cred_t **cred)
+                           char **payload, size_t *size)
 {
     opal_sec_handle_t *hdl;
-
+    opal_sec_cred_t cred;
+    opal_buffer_t buf;
+    
     opal_output_verbose(5, opal_sec_base_framework.framework_output,
                         "Requesting credential from source %s",
                         (NULL == method) ? "ANY" : method);
-    
+
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
     OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
         if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {
             continue;
         }
-        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, cred)) {
+        if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, &cred)) {
             opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                 "Created credential from source %s", hdl->component->mca_component_name);
+            /* pack the credential */
+            if (OPAL_SUCCESS != opal_dss.pack(&buf, &cred, 1, OPAL_SEC_CRED)) {
+                
+            }
             /* record the source */
             (*cred)->method = strdup(hdl->component->mca_component_name);
             return OPAL_SUCCESS;
@@ -45,24 +52,41 @@ int opal_sec_base_get_cred(char *method,
 }
 
 
-int opal_sec_base_validate(opal_sec_cred_t *cred)
+int opal_sec_base_validate(char *payload, size_t size)
 {
     opal_sec_handle_t *hdl;
-
+    opal_buffer_t buf;
+    int cnt;
+    opal_sec_cred_t *cred;
+    
     opal_output_verbose(5, opal_sec_base_framework.framework_output,
                         "Received credential %s from source %s",
                         (NULL == cred->credential) ? "NULL" : cred->credential,
                         (NULL == cred->method) ? "NULL" : cred->method);
     
-    OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
+    OBJ_CONSTRUCT(&buf, opal_buffer_t);
-        if (NULL != cred->method &&
+    buf.base_ptr = payload;
-            0 != strcmp(cred->method, hdl->component->mca_component_name)) {
+    buf.bytes_used = size;
-            continue;
+    
-        }
+    cnt = 1;
-        if (OPAL_SUCCESS == hdl->module->authenticate(cred)) {
+    while (OPAL_SUCCESS == opal_dss.unpack(&buf, &cred, &cnt, OPAL_SEC_CRED)) {
-            return OPAL_SUCCESS;
+        OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
+            if (NULL != cred->method &&
+                0 != strcmp(cred->method, hdl->component->mca_component_name)) {
+                OBJ_RELEASE(cred);
+                continue;
+            }
+            if (OPAL_SUCCESS == hdl->module->authenticate(cred)) {
+                OBJ_RELEASE(cred);
+                buf.base_ptr = NULL;
+                OBJ_DESTRUCT(&buf);
+                return OPAL_SUCCESS;
+            }
         }
+        cnt = 1;
     }
+    buf.base_ptr = NULL;
+    OBJ_DESTRUCT(&buf);
     return OPAL_ERROR;
 }
 

orte/mca/oob/tcp/help-oob-tcp.txt

@@ -10,7 +10,7 @@
 #                         University of Stuttgart.  All rights reserved.
 # Copyright (c) 2004-2005 The Regents of the University of California.
 #                         All rights reserved.
-# Copyright (c) 2014      Intel, Inc. All rights reserved.
+# Copyright (c) 2014-2015 Intel, Inc. All rights reserved.
 # $COPYRIGHT$
 # 
 # Additional copyrights may follow
@@ -64,3 +64,16 @@ value will be ignored.
   Local host: %s
   Value:      %s
   Message:    %s
+#
+[authent-fail]
+An attempt was made to make a TCP connection between two hosts:
+
+  Initiating host:  %s
+  Receiving host:   %s
+
+Unfortunately, the connection was refused due to a failure to
+authenticate. This is usually caused by a mis-match between
+the security domains of the two hosts - e.g., one might be
+using Munge while the other is not. This can typically be
+resolved by specifying the desired security method. For
+example, adding "--mca sec basic" to your command line.

orte/mca/oob/tcp/oob_tcp_connection.c

@@ -803,7 +803,11 @@ int mca_oob_tcp_peer_recv_connect_ack(mca_oob_tcp_peer_t* pr,
     creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1);
     creds.size = hdr.nbytes - strlen(version) - 1 - strlen(creds.method) - 1;
     if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
-        ORTE_ERROR_LOG(rc);
+        char *hostname;
+        hostname = orte_get_proc_hostname(&peer->name);
+        orte_show_help("help-oob-tcp.txt", "authent-fail", true,
+                       orte_process_info.nodename,
+                       (NULL == hostname) ? "unknown" : hostname);
         free(msg);
         return ORTE_ERR_CONNECTION_REFUSED;
     }