Re: [Condor-users] Authentication Model - Condor + WebServices

[Andrea Borsic <Andrea.Borsic@xxxxxxxxxxxxx>]

Hi Todd,

The mapping certificate <-> user might be acceptable as we will be few 
users sharing the resource.

Thanks anyway for this, as I guess it clarifies the picture.

Regards,

Andrea




Todd Tannenbaum wrote:
> Andrea Borsic wrote:
>   
> > Dear All,
> >
> > I am new to the use of Condor, and I would like to post a question 
> > regarding the authentication model of Condor + WebServices:
> >
> > I am interested in submitting jobs to a Linux+Condor cluster via Web 
> > Services and I have realized that most Condor Web Services calls have a 
> > field called "Owner", where the client side can declare the user ID to 
> > be used for running the job. This arrangement is not satisfactory for 
> > us, as we would like to have a true authentication of the users.
> >
> > Is trusting the "Owner" field in the Web Services calls the only 
> > authentication model of Condor for Web Services ? What are the common 
> > practices regarding this aspect - is there any secure way of 
> > authenticating the users ? Apparently the User Manual does not cover in 
> > more detail these aspects, is there any documentation that might be 
> > helpful ?
> >     
>
> The Condor Manual needs to improve in this area, we hope to get to this 
> soon.
>
> Although the client sets Owner=<whomever>, you can tell the schedd to 
> authenticate the client and then verify that the Owner attribute is 
> authentic (i.e. the Owner claimed by the client == the Owner verified by 
>   the schedd itself).
>
> Using its own communication protocol, Condor can perform this 
> authentication via a variety of protocols.  Using the Web Service 
> interface, however, you have only one choice for strong authentication: 
> SSL.  Specifically, HTTPS.  Your client will need to have a client-side 
> SSL certificate.  You then tell Condor that clients with a valid 
> certificate of subject X == condor "owner" Y --- i.e. you map ssl cert 
> names to Condor owners.
>
> Does the above sound acceptable for what you have in mind?
>
> For the settings in condor_config related to the above, see in the 
> manual at:
> http://www.cs.wisc.edu/condor/manual/v7.0/3_3Configuration.html#sec:API-Config-File-Entries
>
> Also, take a peek at slides 33 thru 38 in the following PowerPoint:
> http://www.cs.wisc.edu/condor/CondorWeek2006/presentations/farrellee_tannenba_APIs.ppt
>
> Hope this helps get you started,
> Todd
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at: 
> https://lists.cs.wisc.edu/archive/condor-users/
>