none
SchedulerException: Permission Denied RRS feed

  • Question

  • Hi,

    A service runs under UserX account. It can make the following call without any problem:

    var scheduler = new Scheduler();
    scheduler.Connect(gridHeadNodeName);

    but when it actually submits a job
     
    scheduler.SubmitJob(schedulerJob, UserXDomainName, UserXPassword);

     the follwoing exception is thrown:
    SchedulerException: Permission denied.
       at Microsoft.Hpc.Scheduler.Store.StoreServer.Task_AddTaskToJob(Int32 jobId, Int32& taskId, StoreProperty[] taskProps)
       at Microsoft.Hpc.Scheduler.Store.JobEx.CreateTask(StoreProperty[] taskProperties)
       at Microsoft.Hpc.Scheduler.SchedulerTask.CreateTask(IClusterJob job, Int32 rootGroupId, Dictionary`2 taskGroupIdMapping)
       at Microsoft.Hpc.Scheduler.SchedulerJob.CreateJob()
       at Microsoft.Hpc.Scheduler.SchedulerJob.Submit(ISchedulerStore store, String username, String password)
    The code worked last week and I'm wondering what rights disappeared that it stopped working. Any idea how I can figure out what rights are missing and how to add them?

    Thanks

    Pawel

    Wednesday, May 20, 2009 8:58 AM

Answers

  • Ok , I solved the problem.

    This is a (.NET Reflector) code snippet from JobQueryContext.ValidateCaller

      if (this._owner != ntIdentity.Name)
    {
    if (!new WindowsPrincipal(ntIdentity).IsInRole(WindowsBuiltInRole.Administrator))
    {
    return new CallResult(-2147220981);
    }
    base._role = CallerRole.AdminUser;
    }
    The comparison is case sensitive and the check actually passes for the following values:
    DOMAIN\user and DOMAIN\USER. My user is not in Administrator role and that's why I got "Permission Denied" error message. I don't know how the data got out of sync with the data in AD. I fixed the casing and all works fine.

    I consider this a bug as the comparison should be case-insensitive . Windows treats user names in case-insensitive way thus I don't see why HPCScheduler should more strict.

    Thanks

    Pawel
    • Marked as answer by PawelPabich Thursday, May 21, 2009 5:54 AM
    Thursday, May 21, 2009 5:53 AM

All replies

  • Ok , I solved the problem.

    This is a (.NET Reflector) code snippet from JobQueryContext.ValidateCaller

      if (this._owner != ntIdentity.Name)
    {
    if (!new WindowsPrincipal(ntIdentity).IsInRole(WindowsBuiltInRole.Administrator))
    {
    return new CallResult(-2147220981);
    }
    base._role = CallerRole.AdminUser;
    }
    The comparison is case sensitive and the check actually passes for the following values:
    DOMAIN\user and DOMAIN\USER. My user is not in Administrator role and that's why I got "Permission Denied" error message. I don't know how the data got out of sync with the data in AD. I fixed the casing and all works fine.

    I consider this a bug as the comparison should be case-insensitive . Windows treats user names in case-insensitive way thus I don't see why HPCScheduler should more strict.

    Thanks

    Pawel
    • Marked as answer by PawelPabich Thursday, May 21, 2009 5:54 AM
    Thursday, May 21, 2009 5:53 AM
  • Hi Pawel

    Thanks for root causing this for us! Yes, this is a bug in our code - we've checked this fix into the service pack branch, so it will be part of our SP1 release in a few weeks.

    cheers
    jeff
     
    Wednesday, May 27, 2009 3:04 PM