[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Security: allow condor_submit, deny condor_advertise

Zachary Miller wrote:
I'd like to allow jobs to be submitted by anyone on machine X, but I would like to limit inserting machine ClassAds with condor_advertise to the root user on the same machine. Is there a way to enforce this sort of authorization (HOSTALLOW_WRITE is obviously too liberal)?

actually, there is now.  the below features will work in 6.9.5, released
just this week.

you will want to set something similar to the below in your condor_config.
this instructs the collector to have different allow lists for schedd and
startd advertisements:

  ALLOW_ADVERTISE_SCHEDD = submithost.foo.com
  ALLOW_ADVERTISE_STARTD = *.executehosts.foo.com

To restrict people from using condor_advertise to advertise machine ClassAds, you would need to go a little further. For example, in the above example, a user can still submit a job that runs on one of the execute hosts and calls condor_advertise to send a startd ClassAd to the collector. To prevent that, you would want to require authentication of the startd advertisement (and possibly the schedd as well, for that matter). Example:


And then you would need to get one of the available authentication methods working for your Condor daemons.