[HTCondor-users] opening cluster cross-domain?

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Hi all,

I am currently trying to opening a test cluster to an outside scheduler,
i.e., beyond our domain.
My plan is to start with CLAIMTOBE/ANONYMOUS and then move up the
security ladder to passwords and gsi/ssl certificates.

However, I am already struggling to connect with the outside schedd to
the collector with claimtobe/anonymous.

The collector node should be wide open [1] (I think). But still the
client schedd get's rejected with [2.a,2.b]

The version is at 8.8.5 [3], i.e., without the security settings added
with 8.9 [3.a].

One thing I am wondering is that although ALLOW_* is set to *, the
applied config has *.$(UID_DOMAIN) [4]

So, I wonder why my sched still is not allowed to connect to the
collector, although it should be wide open(?) ?

Cheers,
  Thomas


[1]
> cat /etc/condor/config.d/00access.conf
SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD,
CLAIMTOBE, ANONYMOUS

ALLOW_READ = *
ALLOW_WRITE = $(ALLOW_READ)
ALLOW_DAEMON = $(ALLOW_READ)

GSI_DAEMON_DIRECTORY      = /etc/grid-security
GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
GSI_DAEMON_KEY            = $(GSI_DAEMON_DIRECTORY)/hostkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates

## For Unix machines, the path and file name of the file containing
## the pool password for password authentication.
#SEC_PASSWORD_FILE = /etc/condor/pool_password

[2.a] sched client
> SchedLog
09/19/19 16:13:09 (pid:32327) ERROR: SECMAN:2010:Received "DENIED" from
server for user unauthenticated@unmapped using no authentication method,
which may imply host-based security.  Our address was '188.185.ZZZ.AAA',
and server's address was '131.169.XXX.YYY'.  Check your ALLOW settings
and IP protocols.
09/19/19 16:13:09 (pid:32327) Failed to start non-blocking update to
<XXX.YYY>.

> MasterLog
09/19/19 16:13:08 ERROR: SECMAN:2010:Received "DENIED" from server for
user unauthenticated@unmapped using no authentication method, which may
imply host-based security.  Our address was '188.185.ZZZ.AAA', and
server's address was '131.169.XXX.YYY'.  Check your ALLOW settings and
IP protocols.
09/19/19 16:13:08 Failed to start non-blocking update to <XXXX.YYY>.

[2.b] master collector
> CollectorLog
09/19/19 16:13:09 PERMISSION DENIED to unauthenticated@unmapped from
host 188.185.ZZZ.AAA for command 1 (UPDATE_SCHEDD_AD), access level
ADVERTISE_SCHEDD: reason: cached result for ADVERTISE_SCHEDD; see first
case for the full reason



[3]
condor-external-libs-8.8.5-1.el7.x86_64
condor-procd-8.8.5-1.el7.x86_64
condor-classads-8.8.5-1.el7.x86_64
condor-8.8.5-1.el7.x86_64
[3.a]
https://research.cs.wisc.edu/htcondor/manual/v8.9.0/DevelopmentReleaseSeries89.html


[4]
> condor_config_val -dump | sort | grep ALLOW
ALLOW_READ = *.$(UID_DOMAIN)
ALLOW_DAEMON = $(ALLOW_READ)
ALLOW_WRITE = *.$(UID_DOMAIN)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature