Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] How can I explicitly weaken security requirements just for condor.cs.wisc.edu ad updates?

Date: Tue, 15 Mar 2005 15:35:49 +0000
From: David McBride <dwm@xxxxxxxxxxxx>
Subject: Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?

On Tue, 2005-03-15 at 09:13 -0600, Zachary Miller wrote:

> what you want to say is this:
> 
> SEC_CLIENT_AUTHENTICATION = OPTIONAL
> SEC_CLIENT_ENCRYPTION = OPTIONAL
> SEC_CLIENT_INTEGRITY = OPTIONAL
>
> all outgoing connections look first at SEC_CLIENT_*, and fall back to
> SEC_DEFAULT_* if the first is not found.  this tells the client it doesn't
> need to authenticate unless the server asks it to, which is what you want.
> 
> so our collector wont ask you to authenticate your update, but your local
> daemons will still require it.  (they will use the SEC_DEFAULT_*)

Gotcha.

> acutally, all outgoing commands look at SEC_CLIENT_*.  the other levels (READ,
> WRITE, ADMINISTRATOR) are looked at only by the server side to enforce policy
> on incoming commands.
>
> please let me know if that wasn't clear.

No, that makes excellent sense.  

The main part that was throwing me off was that I thought that the
SEC_WRITE_* fields must be being used as given that my logs didn't have
any mention of ANONYMOUS access being attempted; but of course, as you
don't have ANONYMOUS access permitted on your collector then the
negotiation phase would have already eliminated that as an option.

> side note:

> > # Anonymous access is sufficient for read access.
> > SEC_CLIENT_AUTHENTICATION_METHODS = KERBEROS, ANONYMOUS
> > SEC_READ_AUTHENTICATION_METHODS = KERBEROS, ANONYMOUS
> 
> you'll still be using KERBEROS for read commands.  while both the client side
> (which looks at SEC_CLIENT_*) and the server side (which looks at SEC_READ_*)
> both have anonymous in the list, the list is ordered.  you should say:
> 
>   SEC_READ_AUTHENTICATION_METHODS = ANONYMOUS, KERBEROS
> 
> instead.  it is the order of the methods that the server sees that is used.

Yeah, that was actually deliberate.  I wanted to allow anonymous access
(so that my CondorStats[0] cronjob could get the current pool state
without needing to keep TGT's around) whilst still using Kerberos as the
default if it was available.  

That way end-user actions would be accountable by default, which I
thought might be handy later.

Thanks very much.

Cheers,
David
-- 
David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
  - From: David McBride
- Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
  - From: Zachary Miller

Prev by Date: Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
Next by Date: Re: [Condor-users] Absolute and relative paths on Windows.
Previous by thread: Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
Next by thread: RE: [Condor-users] split processors among multiple jobs
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?

Re: [Condor-users] How can I explicitly weaken security requirements just for condor.cs.wisc.edu ad updates?