Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor 8.x and authentication woes

Hi Keith,

Sorry to hear that you have issues!

If you're going for a "simple, secure" setup, I would recommend using PASSWORD auth (slides 11-17 of the presentation you linked https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf).

There are some limitations for PASSWORD noted in the slides (namely: flocking multiple pools together and remote submission); it doesn't sound like you will hit those limitations currently.  In 8.9.2, we have started to lift those limitations (life will get easier in 8.9.3 and yet again in 8.9.4).

SSL is relatively complex because, well, setting up a public key infrastructure is relatively complex.  8.9.3 will provide a few sane defaults (less knobs to turn), but there's a limit to how simple it can go.

Any reason why you gravitate toward SSL instead of PASSWORD?

Thanks,

Brian

On Jul 1, 2019, at 8:46 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:

I have been a long time condor 6 & 7 user and decided to give v8 a try
in our lab. Installation was done thru a RPM, RHEL 7.6.

I have 2 nodes: r1 (COLLECTOR, MASTER, NEGOTIATOR, SCHEDD, STARTD). r2
(MASTER, STARTD).  I am able to start everything up but on r2 I keep
seeing

07/01/19 21:35:14 SECMAN: FAILED: Received "DENIED" from server for
user unauthenticated@unmapped using method (no authentication).
07/01/19 21:35:14 ERROR: SECMAN:2010:Received "DENIED" from server for
user unauthenticated@unmapped using method (no authentication).

I am tempted to go "CLAIMTOBE" route. Instead, I looked into SSL
because that seems to be recommended but getting it to work is very
hard.


I have followed,
http://research.cs.wisc.edu/htcondor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf
and https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf
https://www-auth.cs.wisc.edu/lists/htcondor-users/2010-January/msg00228.shtml

Is there an simplier version of the SSL setup? Has anyone gotten a
simple SSL setup to work?

The documention,https://htcondor.readthedocs.io/en/v8_8_3/admin-manual/security.html,
should include a quick start for SSL. Otherwise, I think everything
will go with claimedtobe and make instances insecure.
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/