[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] using kerberos principal instances in authorization levels
- Date: Mon, 25 Jun 2007 12:52:41 +0200 (CEST)
- From: "Rob de Graaf" <rob@xxxxxxxxxxxxxxxxxx>
- Subject: [Condor-users] using kerberos principal instances in authorization levels
Is it possible to use kerberos principal instances in condor's
I've created principals with instances but when I send commands condor
only parses up to / to determine a user, thus ignoring whichever instance
KERBEROS: krb5_unparse_name: rob/cadmin@xxxxxxxxxx
KERBEROS: no user yet determined, will grab up to slash
KERBEROS: picked user: rob
Client is rob@xxxxxxxxxx
User rob is now authenticated!
I'd like, for example, to be able to create principals with a cadmin
instance to denote condor pool administrators, and give administrative
access based on their instance rather than their principal, ie.
ALLOW_ADMINISTRATOR = */cadmin@$(UID_DOMAIN)/$(CONDOR_HOST)
rather than have to set it up per user, ie.
The same could be used in a submitter's ALLOW_WRITE level, ie.
ALLOW_WRITE = */csubmit@$(UID_DOMAIN)/*.DOMAIN.TLD
I know I could simply create a cadmin principal without any instance, for
administrators to share, but I'd prefer not to. So basically what I'm
looking for is group based authorization.. if possible through kerberos,
but if any other approach exists I'd love to hear about it. How do other
sites solve this?
Rob de Graaf