[Condor-devel] proposed change: trust root for administrative access

[Dan Bradley <dan@xxxxxxxxxxxx>]

I think it is unexpected by users that, by default, Condor does not 
allow administrative commands from root on the local computer.  Combine 
that with the fact that several administrative commands lack any error 
feedback to the user when the command was rejected, and you get plenty 
of confusion.

I found that it is slightly awkward to change the default in the 
standard config file that ships with condor.  Here is what has to change:

ALLOW_ADMINISTRATOR = \
*/$(CONDOR_HOST) \
root@$(UID_DOMAIN)/$(FULL_HOSTNAME)

# authentication is only OPTIONAL by default, so it doesn't normally happen
SEC_ADMINISTRATOR_AUTHENTICATION = PREFERRED

# Anonymous is not in the list of authentication methods by default, but
# we need it in order to allow remote unauthenticated administration
# from a trusted host.
# This is awkward to add because the default list is platform-dependent and
# cannot be referenced, because it is compiled into Condor but is not 
available
# for reference here.
# On Unix:
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = FS,KERBEROS,GSI,ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = FS,KERBEROS,GSI,ANONYMOUS
# On Windows:
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = NTSSPI,KERBEROS,GSI,ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI,KERBEROS,GSI,ANONYMOUS


Can we do better?

I also noticed that when ANONYMOUS is used, the user shows up as 
CONDOR_ANONYMOUS_USER, which lacks the all important '@' sign necessary 
for referring to this user name in ALLOW/DENY policy.

I also propose that we change all of the HOSTALLOW_* settings to the new 
style ALLOW_* in the default config.  They are semantically equivalent, 
and it is just confusing for users that we use the old style but 
emphasize the new style in the documentation.

--Dan