Re: [HTCondor-users] How to disable security ?

[Gaetan Geffroy <gage@xxxxxxxxx>]

Hi Thomas,

Thanks you for this suggestion, I had completely forgotten about the 00-htcondor-9.0.config (which by the way is confusing since I am using 10.0.2).
The line " use security:recommended_v9_0" in that file was the reason why some of the changes I was trying to make to the security config file were rejected, switching to host based resolved the issue.

Thanks a lot to you, as well as to Todd, John, Jason and Tom who also gave me useful insights on this issue.
This mailing list has been a life savior for me several times already, so thanks again.

Cheers,
GaÃtan


Gaetan Geffroy
Junior Software Engineer
Terma GmbH
-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Thomas Hartmann
Sent: Monday, March 27, 2023 15:30
To: htcondor-users@xxxxxxxxxxx
Subject: Re: [HTCondor-users] How to disable security ?

CAUTION: This email originated from outside of Terma. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Gaetan,

submitting jobs under root is not accepted by Condor out of security reasons (else a job could manipulate an execution point)

You can maybe switch from
   use security:recommended_v9_0
to
   use security:host_based
as security model to reduce the daemon to daemon security.

Cheers,
   Thomas

On 27/03/2023 13.53, Gaetan Geffroy wrote:
> I just want to create a pool with 4 Docker containers (CM, Submit, 2 
> workers), created by and for a python test and deleted after the test ran.
>
> That pool will exist for literally 2 minutes before being deleted. I 
> donât care for security. I donât care who accesses which daemon and 
> who does what.
>
> How can I achieve that ? Iâve been spending hours on this now, I keep 
> getting authentication problems, especially with the Collector and the 
> Negotiator.
>
> SEC_DEFAULT_AUTHENTICATION = NEVER returns âSECMAN:2002:Configuration
> Problem: The security policy is invalid.â for some reason, setting 
> SEC_DEFAULT_AUTHENTICATION to ANONYMOUS or CLAIMTOBE changes nothing.
>
> Iâve tried all the variations of SEC_<context>_<feature>, setting all 
> the ALLOW_<something> to *, removed the âuse SECURITY : â statements 
> everywhere. Half the time it tells me the config file is invalid, the 
> other half it seems not to do anything.
>
> The only way I found to have my python program to successfully start 
> and send commands to the collector and the negotiator is to start it 
> with the root user, but then it cannot submit jobs.
>
> I already threw and broke my wrist rest out of rage, Iâm afraid the 
> keyboard will follow soon if I donât find a solution.
>
>
> *Gaetan Geffroy*
> Junior Software Engineer, Space
>
> *Terma GmbH*
> Europaarkaden II, BratustraÃe 7, 64293 Darmstadt, Germany T +49 6151 
> 86005 43 (direct)  â  T +49 6151 86005-0 Terma GmbH - Sitz Darmstadt  
> â  Handelsregister Nr.: HRB 7411, Darmstadt
> GeschÃftsfÃhrer: Poul Vigh / Steen Vejby SÃrensen www.terma.com 
> <http://www.terma.com>Ââ Linkedin 
> <https://www.linkedin.com/company/terma-a-s/> â Twitter 
> <https://twitter.com/Terma_Global> â Instagram 
> <https://www.instagram.com/terma_group/> â Youtube 
> <https://www.youtube.com/channel/UCcnIbDCti4e68JSFd1XwGJA>
>
> ----------------------------------------------------------------------
> --
>
> *Attention:*
> This e-mail (and attachment(s), if any) - intended for the 
> addressee(s) only - may contain confidential, copyright, or legally 
> privileged information or material, and no one else is authorized to 
> read, print, store, copy, forward, or otherwise use or disclose any 
> part of its contents or attachment(s) in any form. If you have 
> received this e-mail in error, please notify me by telephone or return 
> e-mail, and delete this e-mail and attachment(s). Thank you.
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx 
> with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/