[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] NETWORK_INTERFACE - How to ALLOW/DENY?



Hi Greg,

NETWORK_INTERFACE allows one to select which network device that HTCondor will listen on.  I.e., if I have two network cards in my host, I can decide whether HTCondor will listen on interface A, B, or both.

This is separate from what hosts that may be able to communicate with that network interface are allowed to do.

To further restrict ALLOW_* permissions based on network address, you can add a network limitation after a "/".  E.g.

ALLOW_WRITE = red.unl.edu@xxxxxxxxxxxxxxxxxxxxxxxxxx/*.unl.edu

would allow writes to my daemon only for clients from *.unl.edu AND authenticated as red.unl.edu@xxxxxxxxxxxxxxxxxxxxxxxxxxx  OTOH,

ALLOW_READ = *.unl.edu

only allows reads from *.unl.edu

So, to accomplish what you're looking for, you would:

a) Set NETWORK_INTERFACE to refer to the cards on your private network.
b) Use ALLOW_* / DENY_* to further reduce the subnets on the private network allowed to talk to HTCondor (such as excluding VPN users).

In my experience, it's easier to enumerate the "known good" subnets than blacklist all "known bad" subnets.

HTH,

Brian

> On Nov 27, 2017, at 12:10 AM, Greg.Hitchen@xxxxxxxx wrote:
> 
> Hi All
> 
> Is there any way to have the equivalent of ALLOW/DENY attributes in the NETWORK_INTERFACE  macro?
> 
> I am imagining a scenario where NETWORK_INTERFACE  is used to specify only subnets that our organisation
> uses, e.g.
> 
> NETWORK_INTERFACE = 172.34.*, 112.29.*
> 
> BUT we also want to exclude certain subnets, e.g. VPN from home, wireless at work.
> So if these are on 172.34.45.* and 112.29.68.* how could this be done?
> 
> I've read the docs and can't see how to do it apart from explicity doing for EVERY subnet, i.e.
> Specifiy EVERY subnet except the VPN and wireless ones:
> 
> NETWORK_INTERFACE = 172.34.1.*, 172.34.2.*, ......... , 172.34.44.*, 172.34.46.*, ......., 
> 112.29.1.*, 112.29.2.*, ....... , 112.29.67.*, 112.29.69.*, ........
> 
> What I need is the equivalent of:
> 
> ALLOW_NETWORK_INTERFACE = 172.34.*, 112.29.*
> DENY_NETWORK_INTERFACE = 172.34.45.*, 112.29.68.*
> 
> Thanks for any help, even if that's "you dummy, just do it like this!" :)
> 
> Cheers
> 
> Greg
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/