[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] LocalCredd attribute undefined
- Date: Tue, 09 Feb 2016 13:38:23 -0600
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] LocalCredd attribute undefined
On Mon, Feb 8, 2016 at 5:06 PM, Sean Milligan
Did you create a shared pool password with condor_store_cred -c
No, I did not. This is a restricted internal cluster, so the security
features aren't used. Is the pool password specifically required? I
know the example configuration uses a pool password, but I wouldn't
expect that specific mechanism to be a hard requirement.
Re the above, I think Sean is on the right track (thanks Sean!).
The use of pool password is not a hard-wired requirement, but what IS
hard-coded into the credd in order for it to hand out a password is the
1. The requesting client must use an authenticated connection
2. The requesting client must have an encrypted connection
3. The requesting client must be authorized for DAEMON level access.
So requirement 1 means you need to authenticate with at least SOME
authentication method that works over the network (i.e. not FS); if you
don't wanna deal with setting up a pool password or SSL certs, you could
use CLAIMTOBE. CLAIMTOBE is not secure, but at least it doesn't require
any effort to setup.
Requirement 2 means you had better setup encryption to be required.
Requirement 3 means you had better add the machines that need to fetch
passwords (i.e. impersonate users) into the ALLOW_DAEMON knob on the CREDD.
So I'd suggest talking the example condor_config.local.credd and editing
it to use something like CLAIMTOBE instead of pool password if you
really trust everything/everyone on your internal cluster and setting up
a pool password is to much work; i.e. consider putting something like
the below on all your machines in your pool (warning, untested!) :
# Set security settings so that full security to the credd is required,
# since the credd will refuse to give out a password over a
# connection that is not authenticated and encrypted.
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
# Allow the client to claim to be anyone, and authorize the
# credd to give out passwords to anyone who asks with an
# ip address starting with 128.105.
# This is a VERY insecure setup!! Don't do this unless
# you trust all machines in the pool, trust all users on
# all the machines, and your pool is isolated on its own
# private network!! You have been warned!!!
SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE \
CREDD.ALLOW_DAEMON = */128.105.*