Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Security Basics. How to distribute tokens


I am inspired by a great presentation

https://indico.cern.ch/event/817927/contributions/3570551/attachments/1916450/3168528/SecurityBasics.pdf

Thanks so much for this work!

I built the similar scheme as on slide 25 whereÂWorker Node - WIndows machine and Central Manager - Unix machine.
Everything works as expected if I set the settings `SEC_DEFAULT_AUTHENTICATION` to `OPTIONAL` and `SEC_DEFAULT_INTEGRITY` to `OPTIONAL` on Central Manager.
But if I set these to `REQUIRED` - I have the ERROR:ÂAUTHENTICATE:1004:Failed to authenticate using TOKEN.

The title of the slide is `And distribute tokensâ.`. Could you tell how to do it? How to distribute generated tokens from the Central Manager to the Worker Node on Windows?


condor_config on Worker Node:

HOST_ALIAS = htcnodor-remote
CONDOR_HOST = $(FULL_HOSTNAME)
COLLECTOR_HOST = 100.70.128.2:9618Â Â Â<--- path to the Central Manager
FLOCK_FROM = *
UID_DOMAIN =
CONDOR_ADMIN =
SMTP_SERVER =
ALLOW_READ = *
ALLOW_WRITE = *
ALLOW_ADMINISTRATOR = Â*
ALLOW_CONFIG = *
use POLICY : ALWAYS_RUN_JOBS
WANT_VACATE = FALSE
WANT_SUSPEND = TRUE
DAEMON_LIST = MASTER STARTD


Central Manager is in private network (I use CCB + shared port):

SHARED_PORT_PORT = 9618
UPDATE_COLLECTOR_WITH_TCP = TRUE
BIND_ALL_INTERFACES = TRUE
PRIVATE_NETWORK_NAME = htcondor
# require authentication and integrity for everything...
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_CLIENT_AUTHENTICATION = REQUIRED
# ...except read access...
SEC_READ_AUTHENTICATION=OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL

SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD, TOKEN
SEC_CLIENT_AUTHENTICATION_METHODS = PASSWORD, TOKEN

ALLOW_READ = *
ALLOW_WRITE = *
ALLOW_OWNER = *
ALLOW_CLIENT = *
ALLOW_NEGOTIATOR = *
ALLOW_NEGOTIATOR_SCHEDD = *
ALLOW_ADMINISTRATOR = *
ALLOW_DAEMON = *
ALLOW_CONFIG = *
FLOCK_FROM = *
QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) someuser

TRUST_UID_DOMAIN = True
DEFAULT_DOMAIN_NAME = htcondor
TRUST_DOMAIN = htcondor
UID_DOMAIN = htcondor
FILESYSTEM_DOMAIN = htcondor

--
Sincerely yours,
Ivan Ergunov                         mailto:hozblok@xxxxxxxxx