[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] IDTOKENS and cli



Hi Mike,

To be clear --

Neither ANONYMOUS nor CLAIMTOBE provide authentication (trivial to spoof the identity; for ANONYMOUS, however, there's only a single identity allowable (anonymous)) or integrity (possible for a MiTM to change the response over the network).  Hence, they're really only reasonable to use in a carefully controlled network setting.

OSG endpoints often are exposed or accessible to wider sets of networks, hence SSL is a more reasonable choice in that setting.

Brian

On Apr 27, 2022, at 11:32 AM, Brian Lin <blin@xxxxxxxxxxx> wrote:

In the OSG, we often suggest to sites or service owners get a host certificate and use SSL authentication, which doesn't require a credential from the client. This way, communications will be encrypted and integrity-checked.

- Brian

On 4/27/22 11:14, Jaime Frey wrote:
To allow users to query the collector (i.e. use condor_status) without a token, we suggest allowing the ANONYMOUS or CLAIMTOBE authentication method for the READ and CLIENT authorization levels. If you donât set the authentication methods, CLAIMTOBE is enabled by default. If you use the get_htcondor tool to configure your machines, ANONYMOUS is enabled.

If youâre setting the authentication methods explicitly on your config file, then try using these values:

SEC_READ_AUTHENTICATION_METHODS = IDTOKENS, FS, ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, FS, ANONYMOUS

The -authz argument to condor_token_create specifies authorization levels, not command names. UPDATE_SCHEDD_AD, QUERY_STARTD_ADS, and UPDATE_AD_GENERIC are command names and thus wonât do anything in the token.

 - Jaime

On Apr 25, 2022, at 4:46 PM, Michael Thomas <wart@xxxxxxxxxxx> wrote:

I'm still flailing about trying to get idtokens working on a new 9.0.12 schedd in my cluster.

I was finally able to get the schedd talking to the collector by issuing a new token with condor_token_create (and a long list of permissions), then signing it on the CM:

condor_token_create -identity schedd@xxxxxxxxxxxxxxxxxxxxxxxx -authz DAEMON -authz UPDATE_SCHEDD_AD -authz READ -authz WRITE -authz QUERY_STARTD_ADS -authz UPDATE_AD_GENERIC -authz ADMINISTRATOR

However, I'm unable to get some CLI commands to work.  Notably, the 'condor_status' command, when run as root, returns:

# condor_status
Error: communication error
SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

The collector reports the following error:

04/25/22 16:41:03 DC_AUTHENTICATE: message authenticator enabled with key id ldas-condor:2734:1650922863:33339.
04/25/22 16:41:03 DC_AUTHENTICATE: Success.
04/25/22 16:41:03 DC_AUTHENTICATE: authentication of <10.13.5.58:20190> was successful but resulted in a limited authorization which did not include this command (5 QUERY_STARTD_ADS), so aborting.

...which seems odd considering that I explicitly included QUERY_STARTD_ADS in the token request above.


As a user, it won't even authenticate:

$ condor_status
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
AUTHENTICATE:1004:Failed to authenticate using FS

Any suggestions on where to look next?

--Mike
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/