Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Submitting different users jobs from the single remote user.

Date: Tue, 25 Jun 2019 19:08:14 +0300 (MSK)
From: "Sergey A. Komissarov" <sergey.komissarov@xxxxxxxxxxxxxx>
Subject: Re: [HTCondor-users] Submitting different users jobs from the single remote user.

Hello Brian,

Thank you, queue super user option works perfectly and seems exactly what wee need.
Now I'm trying to add authentication for app-server user and stuck with token mechanism.

I have setup of 4 docker containers running in the same network: master, submit, worker and test container for remote submission.
They all have htcondor 8.9.2 installed. Master, submit and worker uses pool password for authentication and the test container have token
generated from those pool password (system in the test container does not have 'p7-server' user):

>user@459baa61ca5c:/$ condor_token_list 
>Header: {"alg":"HS256","kid":"POOL"} Payload: {"iat":1561470288,"iss":"htcondor-manager","sub":"p7-server@xxxxxxxxxxxxxx"} File: /etc/condor/tokens.d/p7-server.token

All containers have the same condor-host and domain settings in config file (read, write, client and negotiate rights are allowed to '*'):

>CONDOR_HOST=htcondor-manager
>DEFAULT_DOMAIN_NAME = htcondor.p7.da
>UID_DOMAIN = htcondor.p7.da
>TRUST_UID_DOMAIN = True
>FILESYSTEM_DOMAIN = htcondor.p7.da

Since docker does not have any domain system by default I made two aliases for the master host: htcondor-manager and htcondor-manager.htcondor.p7.da . 
Test system just have random hostname without domain name.  The problem is that test system can not find token in the token file:

>user@459baa61ca5c:/$ condor_submit -debug -file submit -remote htcondor-manager
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) SECMAN: new session, doing initial authentication.
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) SECMAN: Auth methods: TOKEN
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) AUTHENTICATE: setting timeout for <192.168.48.3:9618> to 20.
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) HANDSHAKE: in handshake(my_methods = 'TOKEN')
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) HANDSHAKE: handshake() - i am the client
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) HANDSHAKE: sending (methods == 2048) to server
>06/25/19 14:05:51 (fd:4) (pid:38) (D_NETWORK) condor_write(fd=3 collector at <192.168.48.3:9618>,,size=13,timeout=20,flags=0,non_blocking=0)
>06/25/19 14:05:51 (fd:4) (pid:38) (D_NETWORK) condor_read(fd=3 collector at <192.168.48.3:9618>,,size=5,timeout=20,flags=0,non_blocking=0)
>06/25/19 14:05:51 (fd:4) (pid:38) (D_NETWORK) condor_read(fd=3 collector at <192.168.48.3:9618>,,size=8,timeout=20,flags=0,non_blocking=0)
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) HANDSHAKE: server replied (method = 2048)
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) PW.
>06/25/19 14:05:51 (fd:4) (pid:38) (D_SECURITY) PW: getting name.
>06/25/19 14:05:51 (fd:5) (pid:38) (D_SECURITY) TOKEN: Will use examine tokens found in /etc/condor/tokens.d/p7-server.token.
>06/25/19 14:05:51 (fd:4) (pid:38) (D_ALWAYS) TOKEN: No token found.

Full log is here: https://pastebin.com/AD1x6cd3

Test system user may read token file content and may ping both htcondor-manager and htcondor-manager.htcondor.p7.da .
>From the htcondor source code I guess that client is filed to match server hostname (or full hostname) with the certificate issuer.
Could you point out how certificate issuer is related to condor-host and what can I do to debug this further?

----------
Sergey Komissarov
Senior Software Developer
DATADVANCE

This message may contain confidential information
constituting a trade secret of DATADVANCE. Any distribution,
use or copying of the information contained in this
message is ineligible except under the internal
regulations of DATADVANCE and may entail liability in
accordance with the current legislation of the Russian
Federation. If you have received this message by mistake
please immediately inform me of it. Thank you!

----- Original Message -----
From: "Brian Bockelman" <BBockelman@xxxxxxxxxxxxx>
To: "HTCondor-Users Mail List" <htcondor-users@xxxxxxxxxxx>
Sent: Friday, June 21, 2019 4:57:25 AM
Subject: Re: [HTCondor-users] Submitting different users jobs from the	single	remote user.

Hi Sergey,

Some answers inline.

> On Jun 20, 2019, at 7:19 AM, Sergey A. Komissarov <sergey.komissarov@xxxxxxxxxxxxxx> wrote:
> 
> Hello,
> 
> We are trying to build an application which submits jobs to the htcondor cluster.
> In our test setup we have docker containers in the same network, htcondor cluster 
> with CentralManager, Submit and Execute instances sharing the same SHARED_PORT_PORT and CONDOR_HOST settings.
> And docker container with application server which uses htcondor python bindings without htcondor itself installed.
> 
> I have two questions:
> 
> 1) Which security model to choose? 
> Application server and all htcondor services are in the trusted network, so I guess we may use something simple like
> HOST_BASED security and pool password authentication between condor services. 
> And token or certificate authentication for the application server.
> 

Probably pool password is the most reasonable choice here.  If you're interested in new approaches, the "TOKEN" auth is of similar simplicity but provides more fine-grained auth.  It is available starting HTCondor 8.9.2.

> 2) Is it possible to change job owner when it is submitted from the application server to htcondor?
> Application server is run under its own user but knows username and uid of the real job owner. All users which
> needs to start jobs have same names and uids in every docker container. May be we can use individual token for each user 
> with unique identity?
> 

This may be technically feasible, but there's a simpler approach -- you can mark the application server as a "queue superuser".  See:

https://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html?highlight=queue_super_user_may_impersonate

If you set:

QUEUE_SUPER_USERS = apache
QUEUE_SUPER_USER_MAY_IMPERSONATE = joe|bob|frida

(the second config variable is a regex)

then the apache user will be allowed to impersonate users joe, bob, and frida.  By "impersonate", we mean that it can set the Owner attribute in the submit object for python.  That is,

sub["+Owner"] = "bob"

This will cause HTCondor to run the job as user "bob".

HTH,

Brian
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

References:
- [HTCondor-users] Submitting different users jobs from the single remote user.
  - From: Sergey A. Komissarov
- Re: [HTCondor-users] Submitting different users jobs from the single remote user.
  - From: Bockelman, Brian

Prev by Date: Re: [HTCondor-users] Under what conditions, if any, is the initial directory of a Singularity job the scratch space?
Next by Date: [HTCondor-users] Resource Usage from non HTCondor Jobs
Previous by thread: Re: [HTCondor-users] Submitting different users jobs from the single remote user.
Next by thread: [HTCondor-users] DAGMan Individual Job Notification
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Submitting different users jobs from the single remote user.