Re: [Condor-users] GSI auth in Windows

["Jewell, Chris" <C.P.Jewell@xxxxxxxxxxxx>]

On 18 Aug 2012, at 04:16, Todd Tannenbaum wrote:

> On 8/17/2012 8:54 AM, Michael O'Donnell wrote:
>> I found Zach's tutorial extremely useful for setting up SSL in a Windows
>> pool. There is not a whole lot that is different, but there are many
>> methods to accomplish setting up SSL CA, certs, keys, etc. If you follow
>> Zach's setup you will have a set of instructions to refer to and I
>> highly recommend this if you are not familiar with SSL. I can also
>> provide you help with this if you would like. If needed I can also throw
>> together my notes and pass this information along. I also developed a
>> python script that automates the generates of keys and certs (after the
>> CA is setup) because I was implementing a strict security policy where
>> each machine required their own key--a bit of an overkill but developing
>> this code has saved me a tremendous amount of time.

Hi Mike,

Many thanks for the offer of help, and I'd definitely be interested in your notes!

So far I have managed to get SSL running at daemon level, using individual host certificates.  What I'm confused about is how far one needs to tie down the security in Condor to make it impossible (or at least difficult) for someone to hook a machine into the pool, and run jobs.   I guess daemon security does the former, but for managed submission hosts, is it really necessary to have 

ALLOW_WRITE = *@$(UID_DOMAIN)/*.foo.bar 

rather than

ALLOW_WRITE = *.foo.bar

and allowing a combination of daemon level access and auth on the submission host to control the users who are allowed to submit?  Then, is it necessary to require ssl auth for NEGOTIATOR and CLIENT, as per the GSI section of the manual?

Cheers,

Chris

  

--
Dr Chris Jewell
Lecturer in Biostatistics
Institute of Fundamental Sciences
Massey University
Private Bag 11222
Palmerston North 4442
New Zealand
Tel: +64 (0) 6 350 5701 Extn: 3586