Re: [Condor-users] user based authorization not working

["Dr Ian C. Smith" <i.c.smith@xxxxxxxxxxxxxxx>]

--On 13 February 2006 12:26 -0600 Zachary Miller <zmiller@xxxxxxxxxxx> 
wrote:

> > I read this again and it made more sense second time around.
> > I tried getting Condor to use CLAIMTOBE by including
> > these lines in the master condor_config:
> >
> > SEC_DEFAULT_AUTHENTICATION = REQUIRED
> > SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE
> >
> > but then I couldn't do a condor_reconfig. Instead I
> > got this error:
> >
> > ERROR
> > AUTHENTICATE:1003:Failed to authenticate with any method
> > Can't send Reconfig command to local master
> >
> > Could you elaborate on this ?
>
> once you changed your config file, the running daemons and the
> condor_reconfig tool now have incompatible settings.  the running daemon
> has the default list of authentication methods (FS, KERBEROS, GSI) but
> the tool has only CLAIMTOBE.
>
> set the methods to CLAIMTOBE, FS.  then do the reconfig (it will use FS).
> then take out FS and reconfig again, and you'll have just CLAIMTOBE.
> there's no harm in just leaving FS in there though.

This kind of follows the same thread ...

Looking at how the config file on the central manager is set up it appears
to me that the requirements for a submit only host are the same as for
an execute only host i.e. an entry in HOSTALLOW_READ and HOSTALLOW_WRITE.
Does this mean that any execute host could potentially be used as a submit
host ? I ask this in case ordinary (non-Condor) users on the execute hosts
could install a condor client and use it to submit jobs thus side stepping
the access controls.

regards,

-ian.








> cheers,
> -zach
>
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users