Re: [HTCondor-users] Security Basics. How to distribute tokens

[Zach Miller <zmiller@xxxxxxxxxxx>]

Hello Ivan,

The support for "TOKEN" authentication is very new and currently works on UNIX-type systems but not on Windows.  More work needs to be done, as you discovered, to put tokens in the right place for Windows.  On Linux, they are stored in files but on Windows they are stored in the secure area of the registry, and there is currently no way to inject these tokens that were created by the collector into the registry.

In a mixed Windows/Unix pool like yours, I would suggest you configure your set up using the "PASSWORD" method.  For this, on all machines you can create the credential by running:

  condor_store_cred -c add


Please try that and let me know if you have any problems or questions.


Cheers,
-zach


ïOn 12/11/19, 2:21 PM, "HTCondor-users on behalf of don_vanchos" <htcondor-users-bounces@xxxxxxxxxxx on behalf of hozblok@xxxxxxxxx> wrote:

    
    
    I am inspired by a great presentation
    
    
    
    https://indico.cern.ch/event/817927/contributions/3570551/attachments/1916450/3168528/SecurityBasics.pdf
    
    
    Thanks so much for this work!
    
    
    
    I built the similar scheme as on slide 25 where Worker Node - WIndows machine and Central Manager - Unix machine.
    
    Everything works as expected if I set the settings `SEC_DEFAULT_AUTHENTICATION` to `OPTIONAL` and `SEC_DEFAULT_INTEGRITY` to `OPTIONAL` on Central Manager.
    
    But if I set these to `REQUIRED` - I have the ERROR: AUTHENTICATE:1004:Failed to authenticate using TOKEN.
    
    
    The title of the slide is `And distribute tokensâ.`. Could you tell how to do it? How to distribute generated tokens from the Central Manager to the Worker Node on Windows?
    
    
    
    
    
    condor_config on Worker Node:
    
    
    HOST_ALIAS = htcnodor-remote
    CONDOR_HOST = $(FULL_HOSTNAME)
    COLLECTOR_HOST = 100.70.128.2:9618 <http://100.70.128.2:9618>     <--- path to the Central Manager
    FLOCK_FROM = *
    UID_DOMAIN = 
    CONDOR_ADMIN = 
    SMTP_SERVER = 
    ALLOW_READ = *
    ALLOW_WRITE = *
    ALLOW_ADMINISTRATOR =  *
    ALLOW_CONFIG = *
    use POLICY : ALWAYS_RUN_JOBS
    WANT_VACATE = FALSE
    WANT_SUSPEND = TRUE
    DAEMON_LIST = MASTER STARTD
    
    
    
    
    
    Central Manager is in private network (I use CCB + shared port):
    
    
    
    SHARED_PORT_PORT = 9618
    
    UPDATE_COLLECTOR_WITH_TCP = TRUE
    BIND_ALL_INTERFACES = TRUE
    
    PRIVATE_NETWORK_NAME = htcondor
    
    # require authentication and integrity for everything...
    SEC_DEFAULT_AUTHENTICATION = REQUIRED
    SEC_DEFAULT_INTEGRITY = REQUIRED
    SEC_CLIENT_AUTHENTICATION = REQUIRED
    # ...except read access...
    SEC_READ_AUTHENTICATION=OPTIONAL
    SEC_READ_INTEGRITY = OPTIONAL
    
    SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
    SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD, TOKEN
    SEC_CLIENT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
    
    
    
    ALLOW_READ = *
    ALLOW_WRITE = *
    ALLOW_OWNER = *
    ALLOW_CLIENT = *
    ALLOW_NEGOTIATOR = *
    ALLOW_NEGOTIATOR_SCHEDD = *
    ALLOW_ADMINISTRATOR = *
    ALLOW_DAEMON = *
    ALLOW_CONFIG = *
    FLOCK_FROM = *
    
    QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) someuser
    
    
    
    TRUST_UID_DOMAIN = True
    DEFAULT_DOMAIN_NAME = htcondor
    TRUST_DOMAIN = htcondor
    UID_DOMAIN = htcondor
    FILESYSTEM_DOMAIN = htcondor
    
    
    
    -- 
    Sincerely yours,
    Ivan Ergunov                                                 mailto:hozblok@xxxxxxxxx