Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] condor_credd setups
- Date: Thu, 01 Oct 2009 09:35:34 -0700
- From: Ralph Finch <rgf@xxxxxxx>
- Subject: [Condor-users] condor_credd setups
Condor 7.2.4
There seems to be different suggested setups for condor_credd in two files
provided in the distribution. Which should actually be used?
In the sample condor_config file in the top level of the zip file,
condor_credd
usage is as follows:
##
##--------------------------------------------------------------------
## condor_credd credential managment daemon
##--------------------------------------------------------------------
## Where is the CredD binary installed?
CREDD = $(SBIN)/condor_credd.exe
## When the credd starts up, it can place it's address (IP and port)
## into a file. This way, tools running on the local machine don't
## need an additional "-n host:port" command line option. This
## feature can be turned off by commenting out this setting.
CREDD_ADDRESS_FILE = $(LOG)/.credd_address
## Specify a remote credd server here,
#CREDD_HOST = $(CONDOR_HOST):$(CREDD_PORT)
## CredD startup arguments
## Start the CredD on a well-known port. Uncomment to to simplify
## connecting to a remote CredD. Note: that this interface may change
## in a future release.
CREDD_PORT = 9620
CREDD_ARGS = -p $(CREDD_PORT) -f
## CredD daemon debugging log
CREDD_LOG = $(LOG)/CredLog
CREDD_DEBUG = D_FULLDEBUG
MAX_CREDD_LOG = 4000000
## The credential owner submits the credential. This list specififies
## other user who are also permitted to see all credentials. Defaults
## to root on Unix systems, and Administrator on Windows systems.
#CRED_SUPER_USERS =
## Credential storage location. This directory must exist
## prior to starting condor_credd. It is highly recommended to
## restrict access permissions to _only_ the directory owner.
CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir
## Index file path of saved credentials.
## This file will be automatically created if it does not exist.
#CRED_INDEX_FILE = $(CRED_STORE_DIR/cred-index
## condor_credd will attempt to refresh credentials when their
## remaining lifespan is less than this value. Units = seconds.
#DEFAULT_CRED_EXPIRE_THRESHOLD = 3600
## condor-credd periodically checks remaining lifespan of stored
## credentials, at this interval.
#CRED_CHECK_INTERVAL = 60
****************************************************************
****************************************************************
Meanwhile in etc/condor_config.local.credd, the usage is:
######################################################################
##
## condor_config.credd
##
## This is the default local configuration file for the machine
## running the condor_credd. You should copy this file to the
## appropriate location and customize it for your needs.
##
######################################################################
## Note: The following settings will need to be present in your
## global config file:
##
## CREDD_HOST = my-credd.cs.wisc.edu
## STARTER_ALLOW_RUNAS_OWNER = True
## CREDD_CACHE_LOCALLY = True
##
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
## SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
##
## And finally, you'll need to enable CONFIG-level access for all
## machines in the pool so that the pool password can be stored:
##
## ALLOW_CONFIG = Administrator@*
## SEC_CONFIG_NEGOTIATION = REQUIRED
## SEC_CONFIG_AUTHENTICATION = REQUIRED
## SEC_CONFIG_ENCRYPTION = REQUIRED
## SEC_CONFIG_INTEGRITY = REQUIRED
##
## See the "Executing Jobs as the Submitting User" section of the
## Condor manual for further details.
## CREDD_SETTINGS
## CREDD logging settings
## Customize these if you wish.
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_COMMAND
MAX_CREDD_LOG = 50000000
#################################################
## CREDD Expert settings
## Everyting below is for the UBER-KNOWLEDGEABLE only!
## Do not change these unless you know what you do!
#################################################
DAEMON_LIST = $(DAEMON_LIST), CREDD
#DC_DAEMON_LIST = \
#MASTER, STARTD, SCHEDD, KBDD, COLLECTOR, NEGOTIATOR, EVENTD, \
#VIEW_SERVER, CONDOR_VIEW, VIEW_COLLECTOR, HAWKEYE, CREDD, HAD, \
#QUILL
CREDD = $(SBIN)/condor_credd.exe
# Timeout session quickly since we normally only get contacted
# once per starter
SEC_CREDD_SESSION_TIMEOUT = 10
# Set security settings so that full security to the credd is required
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
# Only honor password fetch requests to the trusted "condor_pool" user
CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)
# Require NTSSPI for storing credentials
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.