Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] How to disable security ?

Date: Mon, 27 Mar 2023 15:11:29 +0000
From: John M Knoeller <johnkn@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] How to disable security ?

Because of the way key exchange works in HTCondor, If you have ENCRYPTION or INTEGRITY enabled,
then any attempt to turn off AUTHENTICATION will be overridden by the need for encryption/integrity.

You should remove these lines from your config
    Use security : strong 
    Use security : with_authentication

Or override them with a later statements.    These lines automatically include the above
    Use security : recommended_v9_0
    Use security : get_htcondor_idtokens
    Use security : user_based

Try running 

   Condor_config_val -verbose -dump SEC_  ALLOW_

To see where your security config is being declared. 

For totally insecure HTCondor,  remove all "use security : " lines and then add

ALLOW_READ = *
ALLOW_WRITE = * 
ALLOW_DAEMON = *
ALLOW_ADMINISTRATOR = *
LEGACY_ALLOW_SEMANTICS = true

If you add this to your config

   ALL_DEBUG = $(ALL_DEBUG) D_CAT D_SECURITY:1

You can scan the log directory for D_SECURITY messages to see if any security remains...

-tj

-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Thomas Hartmann
Sent: Monday, March 27, 2023 8:30 AM
To: htcondor-users@xxxxxxxxxxx
Subject: Re: [HTCondor-users] How to disable security ?

Hi Gaetan,

submitting jobs under root is not accepted by Condor out of security 
reasons (else a job could manipulate an execution point)

You can maybe switch from
   use security:recommended_v9_0
to
   use security:host_based
as security model to reduce the daemon to daemon security.

Cheers,
   Thomas

On 27/03/2023 13.53, Gaetan Geffroy wrote:
> I just want to create a pool with 4 Docker containers (CM, Submit, 2 
> workers), created by and for a python test and deleted after the test ran.
> 
> That pool will exist for literally 2 minutes before being deleted. I 
> donât care for security. I donât care who accesses which daemon and who 
> does what.
> 
> How can I achieve that ? Iâve been spending hours on this now, I keep 
> getting authentication problems, especially with the Collector and the 
> Negotiator.
> 
> SEC_DEFAULT_AUTHENTICATION = NEVER returns âSECMAN:2002:Configuration 
> Problem: The security policy is invalid.â for some reason, setting 
> SEC_DEFAULT_AUTHENTICATION to ANONYMOUS or CLAIMTOBE changes nothing.
> 
> Iâve tried all the variations of SEC_<context>_<feature>, setting all 
> the ALLOW_<something> to *, removed the âuse SECURITY : â statements 
> everywhere. Half the time it tells me the config file is invalid, the 
> other half it seems not to do anything.
> 
> The only way I found to have my python program to successfully start and 
> send commands to the collector and the negotiator is to start it with 
> the root user, but then it cannot submit jobs.
> 
> I already threw and broke my wrist rest out of rage, Iâm afraid the 
> keyboard will follow soon if I donât find a solution.
> 
> 
> *Gaetan Geffroy*
> Junior Software Engineer,ÂSpace
> 
> *Terma GmbH*
> Europaarkaden II, BratustraÃe 7, 64293 Darmstadt, Germany
> TÂ+49 6151 86005 43Â(direct)ÂÂâÂÂTÂ+49 6151 86005-0
> Terma GmbHÂ-ÂSitz DarmstadtÂÂâÂÂHandelsregisterÂNr.:ÂHRBÂ7411,ÂDarmstadt
> GeschÃftsfÃhrer:ÂPoul VighÂ/ÂSteen Vejby SÃrensen
> www.terma.com <http://www.terma.com>Ââ Linkedin 
> <https://www.linkedin.com/company/terma-a-s/> â Twitter 
> <https://twitter.com/Terma_Global> â Instagram 
> <https://www.instagram.com/terma_group/> â Youtube 
> <https://www.youtube.com/channel/UCcnIbDCti4e68JSFd1XwGJA>
> 
> ------------------------------------------------------------------------
> 
> *Attention:*
> This e-mail (and attachment(s), if any) - intended for the addressee(s) 
> only - may contain confidential, copyright, or legally privileged 
> information or material, and no one else is authorized to read, print, 
> store, copy, forward, or otherwise use or disclose any part of its 
> contents or attachment(s) in any form. If you have received this e-mail 
> in error, please notify me by telephone or return e-mail, and delete 
> this e-mail and attachment(s). Thank you.
> 
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

References:
- [HTCondor-users] How to disable security ?
  - From: Gaetan Geffroy
- Re: [HTCondor-users] How to disable security ?
  - From: Thomas Hartmann

Prev by Date: Re: [HTCondor-users] How to disable security ?
Next by Date: Re: [HTCondor-users] No other user than root can locate the Collector or the Negotiator through the Python bindings
Previous by thread: Re: [HTCondor-users] How to disable security ?
Next by thread: Re: [HTCondor-users] How to disable security ?
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] How to disable security ?