Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
In 8.6, metaknobs allow arguments, and they can be optional So how about something like this:
Â
use SECURITY : HOST_BASED_PRIVATE_NETWORK(192
.168.0.0/21 )Â or
use SECURITY : HOST_BASED_PRIVATE_NETWORK(192
.168.0.0/21 , NEMONET)Â
which would expand to
Â
ÂÂÂ use SECURITY : HOST_BASED
ÂÂÂ ALLOW_WRITE = $(1) $(ALLOW_WRITE)
ÂÂÂ ALLOW_READ = $(1) $(ALLOW_READ)
ÂÂÂ BIND_ALL_INTERFACES = false
ÂÂÂ If $(2?)
ÂÂÂÂÂÂ PRIVATE_NETWORK_INTERFACE = $(1)
ÂÂÂÂÂÂ PRIVATE_NETWORK_NAME = $(2)
ÂÂÂÂÂÂ # set this just so that we can easily reference the private network ip range in other config knobs.
ÂÂÂÂÂÂ $(2)_SUBNET = $(1)
ÂÂÂ Endif
Â
Iâm told that setting NETWORK_INTERFACE can be left at the default of * when PRIVATE_NETWORK_INTERFACE is set.
Â
-tj
Â
From: HTCondor-users [mailto:htcondor-users-
bounces@xxxxxxxxxxx ] On Behalf Of Tom Downes
Sent: Friday, February 17, 2017 5:12 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] automatic selection of advertised IPÂ
Aha.
Â
Â
I realize IP-based security is more a security blanket than a security posture, but I'd wager it's the dominant model in use. Worth making the simple cases simple to configure.
--
Tom Downes
Senior Scientist and Data CenterÂManager
Center for Gravitation, Cosmology and Astrophysics
University of Wisconsin-Milwaukee
414.229.2678Â
On Fri, Feb 17, 2017 at 4:50 PM, Tom Downes <downes@xxxxxxx> wrote:
I swear a put together a ticket which suggested whittling down these knobs so that you could effectively do
Â
use SECURITY:HOST_BASED
PRIVATE_SUBNET =Â172.20.0.0/23
Â
and be "done" in the sense of having implemented something that is marginally better than nothing but also reliable.
--
Tom Downes
Senior Scientist and Data CenterÂManager
Center for Gravitation, Cosmology and Astrophysics
University of Wisconsin-Milwaukee
414.229.2678Â
On Fri, Feb 17, 2017 at 4:43 PM, Todd L Miller <tlmiller@xxxxxxxxxxx> wrote:
# ensure all communication occurs over private network
# may need to tweak when setting up flocking
BIND_ALL_INTERFACES = False
NETWORK_INTERFACEÂ Â= 172.20.*
PRIVATE_NETWORK_NAMEÂ Â Â = NEMONET
PRIVATE_NETWORK_INTERFACE = 172.20.*
    You probably don't actually need the PRIVATE_NETWORK_* bits with BIND_ALL_INTERFACES and NETWORK_INTERFACE set that way. I think the reverse is true as well (that HTCondor prefers matching named private networks over everything else), but I guess getting a 172.20.* address everywhere is less confusing/worrisome.
- ToddM
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor- users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/ Â
Â
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor- users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/