Re: [Condor-users] Authentication Model - Condor + WebServices

[Matthew Farrellee <matt@xxxxxxxxxxx>]

Andrea,

The trust given to an authenticated client is not trust to provide an 
arbitrary Owner attribute.

If QUEUE_ALL_USERS_TRUSTED is FALSE (the default), Condor does a check 
between the client's authenticated user and the Owner attribute the 
client is sending, and may reject the job if they don't match properly.

Best,


matt

P.S. There may be a gotcha in what you need to pass in as the Owner of 
the job. Does the client have to know what user Condor maps the client's 
authenticated principle to? Is that a problem?

Andrea Borsic wrote:
> Hi Matt,
>
> Thanks for your email. I had a look at this slide in the past, but I am 
> not entirely clear about it.
>
> Does the scheme mean that what is authenticated is the client ? In the 
> sense that once the client is authenticated and therefore trusted by the 
> server, than the "Owner" field declared by the client is trusted ? Or 
> does this scheme result in the actual authentication of the user ?
>
> Thanks,
>
> Andrea
>
>
>
> Matthew Farrellee wrote:
> > Andrea Borsic wrote:
> >   
> > > Dear All,
> > >
> > > I am new to the use of Condor, and I would like to post a question 
> > > regarding the authentication model of Condor + WebServices:
> > >
> > > I am interested in submitting jobs to a Linux+Condor cluster via Web 
> > > Services and I have realized that most Condor Web Services calls have a 
> > > field called "Owner", where the client side can declare the user ID to 
> > > be used for running the job. This arrangement is not satisfactory for 
> > > us, as we would like to have a true authentication of the users.
> > >
> > > Is trusting the "Owner" field in the Web Services calls the only 
> > > authentication model of Condor for Web Services ? What are the common 
> > > practices regarding this aspect - is there any secure way of 
> > > authenticating the users ? Apparently the User Manual does not cover in 
> > > more detail these aspects, is there any documentation that might be 
> > > helpful ?
> > >
> > > Thanks for your attention,
> > >
> > > Best Regards,
> > >
> > > Andrea Borsic
> > >     
> > Take a look at the API Tutorial on slide 33,
> >
> > http://www.cs.wisc.edu/condor/CondorWeek2006/presentations/farrellee_tannenba_APIs.ppt
> >
> > Best,
> >
> >
> > matt
> > _______________________________________________
> > Condor-users mailing list
> > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> > The archives can be found at: 
> > https://lists.cs.wisc.edu/archive/condor-users/
> >   
>
>
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at: 
> https://lists.cs.wisc.edu/archive/condor-users/