Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] Understanding authentication in Condor
- Date: Wed, 15 Aug 2012 03:48:39 +0000
- From: "Jewell, Chris" <C.P.Jewell@xxxxxxxxxxxx>
- Subject: [Condor-users] Understanding authentication in Condor
Hi all,
I'm having a tough time trying to understand security in Condor. I'm trying to understand how the Condor password authentication works in a testbed system of a Linux submit/negotiate/collect/execute host and a Windows execute host.
The Windows box has simply an administration user on it currently, whilst the Linux box has the users that will be utilising the cluster. I added the pool password to the Windows box, as described in section 3.6.3.4 of the manual. Similarly, I created a secrets file on the Linux box.
Currently, both my condor_config.local files (based on the example in the manual) look like:
SEC_PASSWORD_FILE = /etc/condor/secrets
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD
ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)/192.168.1.*,condor@$(UID_DOMAIN)/$(IP_ADDRESS), condor_pool@$(UID_DOMAIN)/127.0.0.1, condor@$(UID_DOMAIN)/127.0.0.1
ALLOW_NEGOTIATOR = condor_pool@$(UID_DOMAIN)/192.168.1.25, 127.0.0.1
ALLOW_CONFIG = root@$(UID_DOMAIN)/$(IP_ADDRESS)
ALLOW_WRITE = $(ALLOW_WRITE),192.168.1.*
ALLOW_READ = $(ALLOW_READ), 192.168.1.*
Obviously, this prevents any daemons that do not have the shared password from joining the pool, and works okay (albeit with quite slow job throughput).
The problem (is it a problem?) is that I'm still allowing write/read access to anybody on the subnet. If I change my ALLOW_WRITE/READ lines to *@$(UID_DOMAIN)/192.168.1.*, then the file transfers bomb out as per Ticket #1759. Following #1759's suggested workaround, I try to implement SEC_WRITE_AUTHENTICATION = required, SEC_WRITE_AUTHENTICATION_METHODS = fs, password. However, I get messages in ShadowLog such as:
08/15/12 15:44:36 (30.0) (8720): AUTHENTICATE: handshake failed!
08/15/12 15:44:36 (30.0) (8720): DC_AUTHENTICATE: required authentication of 192.168.1.15 failed: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using FS
Can anyone help, or point me in the direction of a more comprehensive tutorial?
Thanks,
Chris
--
Dr Chris Jewell
Massey University
Private Bag 11222
Palmerston North 4442
New Zealand
Tel: +64 (0) 6 350 5701 Extn: 3586