Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Authentication issue
- Date: Wed, 5 Nov 2014 16:10:12 +0100
- From: Pek Daniel <pekdaniel@xxxxxxxxx>
- Subject: Re: [HTCondor-users] Authentication issue
Here it's also might be important, that I have "use SECURITY : Strong"
in the config.
At the moment we have to live with ALLOW_CLIENT = *, which I think is
far from secure. Any idea how to work this around in a safer way?
Thanks,
Daniel
2014-09-15 15:08 GMT+02:00 Zachary Miller <zmiller@xxxxxxxxxxx>:
> On Mon, Sep 15, 2014 at 01:55:32PM +0200, Pek Daniel wrote:
>> > First question: During "normal operation" (i.e. before a restart) do
>> > you see this in the log at all? If you run "condor_status -collector"
>> > do you see an ad for the Collector?
>> >
>>
>> No, only once after restarting condor. No, there's no collector ad in the
>> output.
>
> Cool, that's what I expected.
>
>
>> I don't know if it helps, I tried to set ALLOW_CLIENT = * (of course, it's
>> not an acceptable policy, just out of curiousity, before it was:
>> ALLOW_CLIENT = *@$(UID_DOMAIN)/*.$(DEFAULT_DOMAIN_NAME), then the collector
>> ad is there, and I got this in the CollectorLog:
>>
>> 09/15/14 13:43:14 SECMAN: command 19 UPDATE_COLLECTOR_AD to collector X.Y.Z
>> from UDP port 55406 (blocking, raw).
>> 09/15/14 13:43:14 DC_AUTHENTICATE: received UDP packet from <a.b.c.d:55406>.
>> 09/15/14 13:43:14 DaemonCore received UNAUTHENTICATED command 19
>> UPDATE_COLLECTOR_AD.
>> 09/15/14 13:43:14 PERMISSION GRANTED to unauthenticated user from host
>> a.b.c.d for command 19 (UPDATE_COLLECTOR_AD), access level ALLOW: reason:
>> 09/15/14 13:43:14 Received UDP command 19 (UPDATE_COLLECTOR_AD) from
>> <a.b.c.d:55406>, access level ALLOW
>> 09/15/14 13:43:14 Calling HandleReq <receive_update> (0) for command 19
>> (UPDATE_COLLECTOR_AD) from unauthenticated@unmapped <a.b.c.d:55406>
>> 09/15/14 13:43:14 CollectorAd : Inserting ** "< name@xxxxx >"
>> 09/15/14 13:43:14 stats: Inserting new hashent for 'Collector':'name@xxxxx
>> ':'a.b.c.d'
>> 09/15/14 13:43:14 Return from HandleReq <receive_update> (handler: 0.000s,
>> sec: 0.000s, payload: 0.000s)
>
> Also to be expected. In this case, the message is misleading. The UDP packet
> is not UNAUTHENTICATED as it claims... it is using an internal secret known
> only to the Collector process. It seems in doing so, though, it's not properly
> filling in the canonical name, and without code changes I don't believe there
> is a way to specify this in the CERTIFICATE_MAPFILE. Hence, the authorization
> fails.
>
> Thanks for the data points. Again, I'll investigate a little further and get
> back to you with more details.
>
>
> Cheers,
> -zach
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/