Mailing List Archives
Public Access
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] host based authentication for condor_submit -remote
- Date: Mon, 18 Jul 2016 14:26:59 -0500
- From: Brian Bockelman <bbockelm@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] host based authentication for condor_submit -remote
Hi Alexei,
So, there are two related concepts here:
- Authentication: Establishing the identity of the client
- Authorization: Specifying what the authenticated client is allowed to do.
ALLOW_READ / ALLOW_WRITE specifies an authorization. Once the client has been authenticated, these are applied.
>From the message you receive, it appears that there is a failure in authentication: it looks like it has tried GSI, KERBEROS, and FS.
If you just want host-based authentication, you probably want to enable the CLAIMTOBE mode: that allows the client to simply assert an identity, and the server will believe it.
Likely, this means adding the following to the server config:
SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE, $(SEC_DEFAULT_AUTHENTICATION_METHODS)
And this to the client config:
SEC_CLIENT_AUTHENTICATION_METHODS = CLAIMTOBE, $(SEC_CLIENT_AUTHENTICATION_METHODS)
Hereâs some further reading on the security configuration:
http://research.cs.wisc.edu/htcondor/manual/v8.4/3_6Security.html
Of course, for systems not on dedicated networks, CLAIMTOBE is fairly weak. Further, even on dedicated networks, having stronger authentication methods is part of a good defense-in-depth strategy.
Hope this helps!
Brian
> On Jul 18, 2016, at 11:00 AM, Alexei Dvoretskii <advoretskii@xxxxxxxxxxxxxxxxxx> wrote:
>
> Hi.
>
> Is there an easy way to configure HTCondor to allow user.mycompany.com to submit jobs to the schedd running on submit.mycompany.com?
> When I run:
>
> [user] $ condor_submit -pool master.mycompany.com -remote submit.mycompany.com job.submit
>
> I get something like:
> ERROR: Failed to connect to queue manager submit.companyname.com AUTHENTICATE:1003:Failed to authenticate with any method AUTHENTICATE:1004:Failed to authenticate using GSI GSI:5003:Failed to authenticate. Globus is reporting error (851968:50). There is probably a problem with your credentials. (Did you run grid-proxy-init?) AUTHENTICATE:1004:Failed to authenticate using KERBEROS AUTHENTICATE:1004:Failed to authenticate using FS
>
> /etc/condor/condor_config on submit.mycompany.com has:
>
> ALLOW_READ = *.mycompany.com
> ALLOW_WRITE = *.mycompany.com
>
> is there some other kind of ALLOW_ parameter that needs to be set? Or is it that host-based security must always go with some kind of certificate based authentication scheme?
>
> Thank you.
>
> Alexei.
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/