Re: [HTCondor-users] Submitting and refreshing X509_USER_PROXY

["Koschmieder, Lukas" <Lukas.Koschmieder@xxxxxxxxxxxxxxxxxxx>]

Hi Zach,

I've read the HTCondor and MyProxy manuals more carefully and now I have a better understanding of the mechanisms. But what I still don't understand is how is it even possible for Condor to delegate/renew a user's proxy if the user only provides x509UserProxy as parameter. From what I know, you can't simply use a X509_USER_PROXY to renew itself. You need to provide the MyProxy passphrase. Otherwise, an attacker could use this method as a loophole to renew a stolen X509_USER_PROXY again and again. Or am I misunderstanding something?

Cheers,
Lukas

--
Lukas Koschmieder
Steel Institute IEHK
RWTH Aachen University
Intzestraße 1
52072 Aachen
Germany

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach Miller <zmiller@xxxxxxxxxxx>
Sent: Wednesday, April 25, 2018 7:11:43 PM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] Submitting and refreshing X509_USER_PROXY

 

Hi Lukas,


HTCondor can automatically delegate GSI credentials to the execute node.  In your submit file just specify:
   x509UserProxy = /tmp/x509up_u<uid>

Delegating is better than transferring because the proxy is then not transmitted over the wire.  HTCondor will also then update the proxy on the execute machine if it changes on the submit machine.  No need for a wrapper script.  Details on that here:
  http://research.cs.wisc.edu/htcondor/manual/v8.7/condor_submit.html#97602


Also, a VERY important issue is that if you are running all jobs as nobody, one job would be able to see another jobs sandbox (and therefore potentially steal the proxy from that job, which may be from a different user).

Instead of "nobody", you should use "slot users".  Details on that can be found here:
  http://research.cs.wisc.edu/htcondor/manual/v8.7/3_8Security.html#sec:RunAsNobody

This will isolate each job with its own UID so they cannot examine or interfere with each other.


Please let me know if you have any further questions!


Cheers,
-zach


> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
> Koschmieder, Lukas
> Sent: Wednesday, April 25, 2018 11:57 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] Submitting and refreshing X509_USER_PROXY
>
> Hi,
>
> My scheduler and execute nodes are located in different networks. Therefore
> there is neither a shared filesystem nor a common UID domain available. All
> jobs have to run as nobody user.
>
> I've enable GSI auth in Condor and set up two file servers that provide GSI
> auth support (Globus-GridFTP and XRootD). Now I'd like to enable Condor
> jobs to use the job owner's GSI credentials to access the GSI file servers.
> (The final goal is to dynamically auto-mount a user's XRootD working
> directory (input/output folder) on the execute nodes when a job starts -
> preferably inside the scratch directory.) I could use TRANSFER_INPUT_FILES
> to manually copy a user's local X509_USER_PROXY to the execute nodes and
> then use USER_JOB_WRAPPER to refresh that X509_USER_PROXY. I was wondering
> if there is a better / less hacky way to do that.
>
> Best regards,
> Lukas
>
>
>
> --
> Lukas Koschmieder
> Steel Institute IEHK
> RWTH Aachen University
> Intzestraße 1
> 52072 Aachen
> Germany


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/