Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Authentication Model - Condor + WebServices
- Date: Tue, 29 Apr 2008 12:02:54 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [Condor-users] Authentication Model - Condor + WebServices
Andrea Borsic wrote:
Dear All,
I am new to the use of Condor, and I would like to post a question
regarding the authentication model of Condor + WebServices:
I am interested in submitting jobs to a Linux+Condor cluster via Web
Services and I have realized that most Condor Web Services calls have a
field called "Owner", where the client side can declare the user ID to
be used for running the job. This arrangement is not satisfactory for
us, as we would like to have a true authentication of the users.
Is trusting the "Owner" field in the Web Services calls the only
authentication model of Condor for Web Services ? What are the common
practices regarding this aspect - is there any secure way of
authenticating the users ? Apparently the User Manual does not cover in
more detail these aspects, is there any documentation that might be
helpful ?
The Condor Manual needs to improve in this area, we hope to get to this
soon.
Although the client sets Owner=<whomever>, you can tell the schedd to
authenticate the client and then verify that the Owner attribute is
authentic (i.e. the Owner claimed by the client == the Owner verified by
the schedd itself).
Using its own communication protocol, Condor can perform this
authentication via a variety of protocols. Using the Web Service
interface, however, you have only one choice for strong authentication:
SSL. Specifically, HTTPS. Your client will need to have a client-side
SSL certificate. You then tell Condor that clients with a valid
certificate of subject X == condor "owner" Y --- i.e. you map ssl cert
names to Condor owners.
Does the above sound acceptable for what you have in mind?
For the settings in condor_config related to the above, see in the
manual at:
http://www.cs.wisc.edu/condor/manual/v7.0/3_3Configuration.html#sec:API-Config-File-Entries
Also, take a peek at slides 33 thru 38 in the following PowerPoint:
http://www.cs.wisc.edu/condor/CondorWeek2006/presentations/farrellee_tannenba_APIs.ppt
Hope this helps get you started,
Todd