Re: [Condor-users] authenticating administrative access (was: Startd on workers dies just after claiming job "error opening watchdog pipe")

[Dan Bradley <dan@xxxxxxxxxxxx>]

Dan Bradley wrote:

> However, if you just want to authenticate trusted administrative users 
> on each local machine, you can do that with FS authentication.  Example:
>
> # Authenticate administrative access so we can see if it
> # is an administrative account local to this machine.  If you
> # don't allow remote administrative commands (such as condor_reconfig 
> -all)
> # or all remote administrative commands are required to be
> # authenticated via some remote authentication method such as GSI,
> # then you could instead set this to REQUIRED.
> SEC_ADMINISTRATOR_AUTHENTICATION = PREFERRED
>
> ALLOW_ADMINISTRATOR = \
>  root@$(UID_DOMAIN)/$(FULL_HOSTNAME) \
>  condor@$(UID_DOMAIN)/$(FULL_HOSTNAME)


I am surprised to find that this configuration causes rejection of 
unauthenticated administrative access, even if ALLOW_ADMINISTRATOR is 
configured to allow it (e.g. unauthenticated access from the central 
manager).  I had forgotten this detail of how authentication works in 
Condor.

So if you want unauthenticated remote administrative access in addition 
to authenticated local administrative access (i.e. because you don't 
have a method of remote user authenticated configured), then you need to 
add ANONYMOUS to the allowed authentication methods.  Example:

SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = FS, KERBEROS, GSI, ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = FS, KERBEROS, GSI, ANONYMOUS

Then you can authorize remote unauthenticated access by IP address in 
addition to local authenticated access by trusted accounts:

ALLOW_ADMINISTRATOR = \
*/$(CONDOR_HOST) \
root@$(UID_DOMAIN)/$(FULL_HOSTNAME) \
condor@$(UID_DOMAIN)/$(FULL_HOSTNAME)

# clear out the older-style hostallow setting to avoid confusion
HOSTALLOW_ADMINISTRATOR =

SEC_ADMINISTRATOR_AUTHENTICATION = PREFERRED


--Dan