[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] LocalCredd attribute undefined

On Mon, Feb 8, 2016 at 5:06 PM, Sean Milligan
<Sean.Milligan@xxxxxxxxxxxxx> wrote:
Did you create a shared pool password with condor_store_cred -c

No, I did not. This is a restricted internal cluster, so the security
features aren't used. Is the pool password specifically required? I
know the example configuration uses a pool password, but I wouldn't
expect that specific mechanism to be a hard requirement.

Hi Ben,

Re the above, I think Sean is on the right track (thanks Sean!).

The use of pool password is not a hard-wired requirement, but what IS hard-coded into the credd in order for it to hand out a password is the following:
  1. The requesting client must use an authenticated connection
  2. The requesting client must have an encrypted connection
  3. The requesting client must be authorized for DAEMON level access.

So requirement 1 means you need to authenticate with at least SOME authentication method that works over the network (i.e. not FS); if you don't wanna deal with setting up a pool password or SSL certs, you could use CLAIMTOBE. CLAIMTOBE is not secure, but at least it doesn't require any effort to setup.

Requirement 2 means you had better setup encryption to be required.

Requirement 3 means you had better add the machines that need to fetch passwords (i.e. impersonate users) into the ALLOW_DAEMON knob on the CREDD.

So I'd suggest talking the example condor_config.local.credd and editing it to use something like CLAIMTOBE instead of pool password if you really trust everything/everyone on your internal cluster and setting up a pool password is to much work; i.e. consider putting something like the below on all your machines in your pool (warning, untested!) :

# Set security settings so that full security to the credd is required,
# since the credd will refuse to give out a password over a
# connection that is not authenticated and encrypted.

# Allow the client to claim to be anyone, and authorize the
# credd to give out passwords to anyone who asks with an
# ip address starting with 128.105.
# This is a VERY insecure setup!! Don't do this unless
# you trust all machines in the pool, trust all users on
# all the machines, and your pool is isolated on its own
# private network!!  You have been warned!!!
CREDD.ALLOW_DAEMON = */128.105.*