Re: [Condor-users] condor cod

[Derek Wright <wright@xxxxxxxxxxx>]

On Wed, 14 Sep 2005 15:05:02 +0100  matthias.m.roehm@xxxxxxxxxxxxxxxxxxx wrote:

> so I had to configure condor "claim" to be secure.

yikes.  that's not really a good idea. ;) the reason COD forces you to
authenticate is because it's allowing you to start jobs directly as
yourself, without the usual checks condor performs if you submit it
through the regular job queue.
 
if you open up your pool in the way described in the previous message
(with optional negotiation, "CLAIMTOBE", etc), then you better be able
to trust every user on every machine that can connect to your condor
daemons at all.  otherwise, anyone who wants to could use cod to start
a process as any user they want.  if that's ok for your site, then
yes, the previous suggestion should at least get it working.

however, a better approach might be to get another authentication
method working.  if you can't use GSI, or kerberos, or something like
that, you may want to stick to using "FS" (file system)
authentication, but then you can only run condor_cod on the same
machine where you want to do the command.  that shouldn't be too much
of a problem if you have ssh keys setup or something like that, and
use ssh to securely run your command on the remote machine, and then
condor can use the local file system to authenticate between the cod
command and the condor_startd it's trying to talk to...

and yes, the question of operating system matters, since unfortunately
(and we know this sucks and we're working on it), there's no
authentication method supported by condor that works across both
windows and unix.  in you've got a mix, and you *need* cod to work
from one to the other, then you're stuck with CLAIMTOBE, and you'd
better be able to trust all the users/machines in your pool.

sorry,
-derek (condor team)