Re: [HTCondor-users] Auth level for condor_token_request?

[Jaime Frey <jfrey@xxxxxxxxxxx>]

condor_token_request uses the DAEMON authorization level for configuration (SEC_DAEMON_AUTHENTICATION_METHODS, etc).

Note that condor_token_request doesnât use the DAEMON level for authorization decisions (i.e. ALLOW_DAEMON). All clients are automatically authorized to make a request. An admin must review and approve requests before a token is generated and issued to the client.

 - Jaime

> On Aug 9, 2023, at 8:58 AM, Fischer, Max (SCC) <max.fischer@xxxxxxx> wrote:
> 
> Hi all,
> 
> for our HTCondor-CEs I am trying to get server-only SSL authentication [0] for clients doing condor_token_request to work but the CE refuses this. As far as I can tell, this is because its COLLECTOR.SEC_*_AUTHENTICATION_METHODS are anything but FS only for READ, WRITE, ADVERTISE_STARTD. Reconfiguring the CE to use SEC_DEFAULT_AUTHENTICATION_METHODS with SSL is sufficient for server-only SSL, but I would like to avoid such a broad change.
> 
> Which *specific* permission level is used on the Collector to handle a condor_token_request?
> 
> Cheers,
> Max
> 
> [0]
> https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#ssl-authentication