Re: [Condor-users] condor-submit -remote

["Kewley, J \(John\)" <j.kewley@xxxxxxxx>]

> It sounds like what you want is CLAIMTOBE authentication.  This 
> basically gives you host-based security for remote user 
> authentication.  
> Example:
> 
> SEC_DEFAULT_AUTHENTICATION_METHODS = FS, CLAIMTOBE

Hmm, from the manual:
"Claim To Be authentication accepts any identity claimed by the client.
 As such, it does not authenticate. It is included in Condor and in the
 list of authentication methods for testing purposes only."

scary!

And "the powers that be" suggest that I should use a single submission
point to improve security! Maybe I'll just get them to ssh onto it, but then
I suspect file transfer would be a pain.

Is there a section in the manual on remote submission (as opposed to
Grid submission)? I presume that files can be transferred if neccessary?

> >I think I rely on FS security (or whatever the default is), how is
> >this different in the remote submission rather than local 
> submission case?
> >  
> >
> 
> FS authentication doesn't work for remote authentication, but you can 
> use a similar mechanism called FS_REMOTE to do remote 
> authentication, if 
> you have a shared NFS directory.

I thought FS_REMOTE is for NFS or similar shared filestore only?

BTW What is the default value for SEC_DEFAULT_AUTHENTICATION_METHODS,
I couldn't see it in the maual.

I have a mixed pool: various Windows and various LINUX, Jobs run as
user nobody (or Windows condor user) since we don't have a common UID domain,
although original username is stored in log files on a 
"claim to be" basis I believe.

I will also investigate the SOFT_UID_DOMAIN option.

thanks

JK