[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"
- Date: Tue, 12 Sep 2017 14:51:32 +0000
- From: Zach Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"
The "potential security implications" are referring to the fact that someone could set these remotely without authentication. So, yes, setting up SSL for HTCondor would do the trick.
1) Install SSL certs (and the CA/signing cert) on the central manager and execute nodes.
2) Set the AUTH_SSL_CLIENT_* and AUTH_SSL_SERVER_* condor_config entries.
3) Add SSL to your list of authentication methods for "CONFIG"-level commands.
We have a recipe for setting up SSL for DAEMON-level (and NEGOTIATOR-level) commands, which you might find handy:
However, we don't yet have one specifically for using the client tools to issue commands to daemons (such as condor_config_val -rset).
If you become stuck at all, please let me know and I can spend a little time putting together a real recipe.
> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Koschmieder, Lukas
> Sent: Tuesday, September 12, 2017 3:58 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security
> Where can I find more information on the "potential security implications"
> mentioned in the manual on ENABLE_RUNTIME_CONFIG (see below)?
> What do admins have to do in order to eliminate this vulnerability? Would
> it be enough to set up a SSL connection between central server and execute
> The condor_config_val tool has an option -rset for dynamically setting run
> time configuration values, and which only affect the in-memory
> configuration variables. Because of the potential security implications of
> this feature, by default, HTCondor daemons will not honor these requests.
> To use this functionality, HTCondor administrators must specifically enable
> it by setting ENABLE_RUNTIME_CONFIG to True, and specify what configuration
> variables can be changed using the SETTABLE_ATTRS... family of
> configuration options. Defaults to False.
> Lukas Koschmieder
> Steel Institute IEHK
> RWTH Aachen University
> Intzestraße 1
> 52072 Aachen
> Tel: +49 (0)241 80 95823
> Fax: +49 (0)241 80 92253