Horde - Scheduler ACL clarification

Development Pipeline & Plugins
, ,
1

Hello,

I am using Horde server/agents with version 5.7.3. I use Azure as an authentication provider.

I’ve noticed recently that when I start a job manually, my building agents are correctly using the picking up UBA agents to distribute compute task.

I suppose that the server is passing my own account token which has AddComputeTask ACL correctly configured

But when the scheduler is starting jobs, I can notice in the job log that it does not have the permissions :

Horde cluster resolved as 'mtl-compute'
[126/1470] (Wall: 3.76s CPU: 3.64s Mem: 199.94 MB) Compile [x86-64] ChaosClothingSimulationMesh.ispc
Unable to get worker: EpicGames.Horde.Compute.ComputeClientException: User does not have AddComputeTasks permission for cluster mtl-compute (HTTP status Forbidden)
   at EpicGames.Horde.Compute.Clients.ServerComputeClient.ConnectAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, Nullable`1 useUbaCache, ILogger workerLogger, CancellationToken cancellationToken)+MoveNext() in D:\HordeAgent\Main-Full\Sync\Engine\Source\Programs\Shared\EpicGames.Horde\Compute\Clients\ServerComputeClient.cs:line 348
   at EpicGames.Horde.Compute.Clients.ServerComputeClient.ConnectAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, Nullable`1 useUbaCache, ILogger workerLogger, CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
   at EpicGames.Horde.Compute.Clients.ServerComputeClient.TryAssignWorkerAsync(Nullable`1 clusterId, Requirements requirements, String requestId, ConnectionMetadataRequest connection, Nullable`1 useUbaCache, ILogger logger, CancellationToken cancellationToken) in D:\HordeAgent\Main-Full\Sync\Engine\Source\Programs\Shared\EpicGames.Horde\Compute\Clients\ServerComputeClient.cs:line 249
   at UnrealBuildTool.UBAHordeSession.AddWorkerAsync(Requirements requirements, UnrealBuildAcceleratorHordeConfig hordeConfig, CancellationToken cancellationToken, Int32 activeCores) in D:\HordeAgent\Main-Full\Sync\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 306
   at UnrealBuildTool.UBAHordeSession.AddWorkerAsync(Requirements requirements, UnrealBuildAcceleratorHordeConfig hordeConfig, CancellationToken cancellationToken, Int32 activeCores) in D:\HordeAgent\Main-Full\Sync\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 278
   at UnrealBuildTool.UBAAgentCoordinatorHorde.<>c__DisplayClass8_0.<<Start>b__0>d.MoveNext() in D:\HordeAgent\Main-Full\Sync\Engine\Source\Programs\UnrealBuildTool\Executors\UnrealBuildAccelerator\UBAAgentCoordinatorHorde.cs:line 944

This is the scheduler configuration I have :

"schedule": {
"enabled": true,
"maxActive": 1,
"requireSubmittedChange": true,
"filter": [ "ContainsCode", "ContainsContent" ],
"gate": {
"templateId": "editor-template",
"target": "Compile Win64"
},
"patterns": [
  {
     "interval": "1h"
  }
],
"claims": [
  {
    "type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
    "value": "user_access"
  }
]
}

As you can see I tried using the claims property of a scheduler to impersonate users but that does not seems to work.

Could you provide some guidance regarding schedule job and UBA ?

Thank you

[Attachment Removed]

2

Steps to Reproduce
Start a 5.7.3 server with Azure authentication

Start a schedule job and note that the agents does not have permission to add compute tasks.

[Attachment Removed]

3

To give a little bit more context, I have defined two roles in my Azure App Registration :

user_access

admin_access

And this is the admin claim mapping in the server.json

"adminClaimType": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
"adminClaimValue": "admin_access",

Agents are running on Windows machine as service, and the service is running under a windows account that have the the role user_access

[Attachment Removed]

4

Well, this thread gave me the answer :

[Content removed]

There is no need to impersonate a user, only to give the compute task to the epic role “agent” in the uba cluster

[Attachment Removed]

5

Thank you for following up with the confirmation of the fix.

I’ll sync with the team to surface this information more clearly in the Horde UBA & Remote Compilation Tutorial and the Practical Debugging articles linked below.

https://dev.epicgames.com/documentation/unreal\-engine/horde\-unreal\-build\-accelerator\-and\-remote\-compilation\-tutorial\-for\-unreal\-engine

[Attachment Removed]