[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] host based authentication for condor_submit -remote



Hi Alexei,

So, there are two related concepts here:
- Authentication: Establishing the identity of the client
- Authorization: Specifying what the authenticated client is allowed to do.

ALLOW_READ / ALLOW_WRITE specifies an authorization.  Once the client has been authenticated, these are applied.

>From the message you receive, it appears that there is a failure in authentication: it looks like it has tried GSI, KERBEROS, and FS.

If you just want host-based authentication, you probably want to enable the CLAIMTOBE mode: that allows the client to simply assert an identity, and the server will believe it.

Likely, this means adding the following to the server config:
SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE, $(SEC_DEFAULT_AUTHENTICATION_METHODS)

And this to the client config:
SEC_CLIENT_AUTHENTICATION_METHODS = CLAIMTOBE, $(SEC_CLIENT_AUTHENTICATION_METHODS)

Hereâs some further reading on the security configuration:

http://research.cs.wisc.edu/htcondor/manual/v8.4/3_6Security.html

Of course, for systems not on dedicated networks, CLAIMTOBE is fairly weak.  Further, even on dedicated networks, having stronger authentication methods is part of a good defense-in-depth strategy.

Hope this helps!

Brian

> On Jul 18, 2016, at 11:00 AM, Alexei Dvoretskii <advoretskii@xxxxxxxxxxxxxxxxxx> wrote:
> 
> Hi.
>  
> Is there an easy way to configure HTCondor to allow user.mycompany.com to submit jobs to the schedd running on submit.mycompany.com?
> When I run:
>  
> [user] $ condor_submit -pool master.mycompany.com -remote submit.mycompany.com job.submit
>  
> I get something like:
> ERROR: Failed to connect to queue manager submit.companyname.com AUTHENTICATE:1003:Failed to authenticate with any method AUTHENTICATE:1004:Failed to authenticate using GSI GSI:5003:Failed to authenticate.  Globus is reporting error (851968:50).  There is probably a problem with your credentials. (Did you run grid-proxy-init?) AUTHENTICATE:1004:Failed to authenticate using KERBEROS AUTHENTICATE:1004:Failed to authenticate using FS
>  
> /etc/condor/condor_config on submit.mycompany.com has:
>  
> ALLOW_READ = *.mycompany.com
> ALLOW_WRITE = *.mycompany.com
>  
> is there some other kind of ALLOW_ parameter that needs to be set? Or is it that host-based security must always go with some kind of certificate based authentication scheme?
>  
> Thank you.
>  
> Alexei.
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/