[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Security of "Owner"
- Date: Tue, 18 Oct 2016 19:30:45 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Security of "Owner"
On 10/18/2016 6:32 PM, Kandes, Martin wrote:
I'm trying to isolate execute nodes by specific users using START
expressions. e.g., . I did one simple test , which appears like
another user cannot hijack another Owner's name. Are there any other
security implications I should be thinking of?
So the default config has the schedd securely authenticating the user
who is submitting the job via filesystem authentication and setting that
to the Owner, so that is all good.
The question you should ask yourself now is how is the startd (on the
execute node) setup to authenticate that is it talking to a "trusted
schedd" ? By a trusted schedd, I mean one that can be trusted to have
securely authenticated the submitting user. HTCondor uses a chain of
trust - the schedd authenticates the submitting user, and then the
startd authenticates the schedd. If your pool is setup to use some form
of credential based authentication (i.e. authentication methods like
PASSWORD, GSI, SSL, KERBEROS, ...), you are probably good. If your pool
is using host-based authentication (like *.my.domain.edu), you need to
trust all users that can login to the trusted hosts to deal with the
fact that a determined malicious user could login to a submit node and
run their own hacked/modified/misconfigured schedd binary which could
misrepresent the Owner to the startd on the execute node.
HTCondor supports all sorts of authentication mechanisms; see Section
3.6 of the HTCondor Manual. If your nodes already have GSI host certs
installed, I'd use that. If your nodes already SSL host certs installed
(and if you use Puppet, they probably already do), you could go with
that - see HOWTO recipe at
And finally if you don't have either of those, it is quick and easy to
install a "pool password" file on each node that is readable only by
root, and tell HTCondor to only trust other daemons that also know the
secret. See the Manual or the HOWTO recipe at
Hope this helps
START = (Owner == "mkandes")
 emfajard@pcf-osg ~$ condor_qedit 11676.0 Owner mkandes
Update of attribute "Owner" is not allowed.
Transaction failed. No attributes were set.
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
You can also unsubscribe by visiting
The archives can be found at: