Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Question about kerberos authentication - keytab required?
- Date: Thu, 31 Jul 2014 16:08:14 +0100
- From: L Kreczko <L.Kreczko@xxxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Question about kerberos authentication - keytab required?
Dear Steve Timm,
Thank you very much for your answer.
I am currently using password file for the authentication between nodes:
# Authentication
SEC_PASSWORD_FILE = /etc/condor/pool_password
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_CLIENT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD,FS
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,PASSWORD
SCHEDD.SEC_DAEMON_AUTHENTICATION_METHODS = FS,PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = FS,PASSWORD,CLAIMTOBE
SEC_READ_AUTHENTICATION_METHODS = FS,PASSWORD,CLAIMTOBE
while the GSI part is handled by my (ARC) computing element which is
also the scheduler + negotiator for the cluster.
Currently all users can execute condor_status and condor_q.
So, just to make sure I understood correctly: If I want a local user
to be able to authorise via a kerberos ticket all I need to change is
SEC_DEFAULT_AUTHENTICATION_METHODS=PASSWORD,FS,KERBEROS
and, of course, set up KERBEROS_MAP_FILE?
Cheers,
Luke
On 31 July 2014 15:03, Steven Timm <timm@xxxxxxxx> wrote:
> It all depends on how you have your security parameters
> configured. If you are using kerberos authentication you can choose
> to require authentication on submit, or not.
> In my cluster (which doesn't use kerberos but GSI)
> we have
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> SEC_CLIENT_AUTHENTICATION = OPTIONAL
> SEC_READ_AUTHENTICATION = OPTIONAL
>
> There are several other levels of authentication that
> are configurable.. in this configuration you still need
> authentication to submit but not to do condor_status or condor_q.
> You could also consider allowing
>
> SEC_DEFAULT_AUTHENTICATION_METHODS=FS,KERBEROS
>
> That way someone could submit remotely using kerberos principal
> but if logged into the submit host itself could submit using
> FS authentication.
>
> Steve Timm
>
>
>
>
>
>
> On Thu, 31 Jul 2014, L Kreczko wrote:
>
>> Dear HTCondor experts,
>>
>> I understand that HTCondor is capable of using the keytab as hinted by
>> the parameter KERBEROS_SERVER_PRINCIPAL.
>>
>> However, since it is not explicitly said in the documentation:
>> Does kerberos authentication for a user submitting jobs require a keytab?
>>
>> Cheers,
>> Luke
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
>> a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>>
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/
>>
>
> ------------------------------------------------------------------
> Steven C. Timm, Ph.D (630) 840-8525
> timm@xxxxxxxx http://home.fnal.gov/~timm/
> Fermilab Scientific Computing Division, Scientific Computing Services Quad.
> Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
--
*********************************************************
Dr Lukasz Kreczko +44 (0)117 928 8724
CMS Group
School of Physics
University of Bristol
*********************************************************