[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Security: allow condor_submit, deny condor_advertise
- Date: Fri, 30 Nov 2007 13:04:52 -0600
- From: Dan Bradley <dan@xxxxxxxxxxxx>
- Subject: Re: [Condor-users] Security: allow condor_submit, deny condor_advertise
Zachary Miller wrote:
I'd like to allow jobs to be submitted by anyone on machine X, but I would
like to limit inserting machine ClassAds with condor_advertise to the root
user on the same machine. Is there a way to enforce this sort of
authorization (HOSTALLOW_WRITE is obviously too liberal)?
actually, there is now. the below features will work in 6.9.5, released
just this week.
you will want to set something similar to the below in your condor_config.
this instructs the collector to have different allow lists for schedd and
ALLOW_ADVERTISE_SCHEDD = submithost.foo.com
ALLOW_ADVERTISE_STARTD = *.executehosts.foo.com
To restrict people from using condor_advertise to advertise machine
ClassAds, you would need to go a little further. For example, in the
above example, a user can still submit a job that runs on one of the
execute hosts and calls condor_advertise to send a startd ClassAd to the
collector. To prevent that, you would want to require authentication of
the startd advertisement (and possibly the schedd as well, for that
SEC_ADVERTISE_STARTD_AUTHENTICATION = REQUIRED
And then you would need to get one of the available authentication
methods working for your Condor daemons.