Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] mapfile, passing variables

How exactly do I combine the certs and private keys? cat key0 key1 >> keys and cat cert0 cert1Â>> certs?
Is this mentioned anywhere in the manual or condor presentations?

On Fri, Aug 9, 2024 at 4:45âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
You can use these parameters instead of the AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR and X509_USER_PROXY variables I describe in my other email.

Â- Jaime

On Aug 9, 2024, at 2:16âPM, Rita <rmorgan466@xxxxxxxxx> wrote:

I am pretty sure I need these,Âhttps://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#AUTH_SSL_CLIENT_KEYFILE andÂhttps://htcondor.readthedocs.io/en/latest/admin-manual/configuration-macros.html#AUTH_SSL_CLIENT_CERTFILE

But these are system level knobs. There must be some environment variable I can tune to allow it to use user's cert and key.

On Fri, Aug 9, 2024 at 3:13âPM Rita <rmorgan466@xxxxxxxxx> wrote:
Jaime,Â
Thanks for the response.Â
I don't want to use FS authentication because I plan to submit jobs to a remote scheduler. I have been SSL thru the tutorial numerous times and I got the hang of SSL authenticationÂso I want to stick to it. I am at the point where I can create a separateÂSSL certificate for a user. I already have a few. But, I am not sure how a user can say, "use this certificate"...






On Fri, Aug 9, 2024 at 3:05âPM Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
Letâs back up a step.
I assumed you already had separate SSL certificates for each of your users, which you wanted them to use to authenticate to HTCondor when submitting jobs. It sounds like that is not the situation, in which case I would recommend a different authentication method. If the users are logged into the machine running the condor_schedd, then the FS authentication method is ideal. It doesnât require any additional configuration.
If the users will be submitting jobs from a remote machine, then I recommend the IDTOKENS authentication method. You would create an IDToken for each user and place it in their home directory (under ~/.condor/tokens.d/). No configuration changes are required.

Â- Jaime

On Aug 9, 2024, at 1:04âPM, Rita <rmorgan466@xxxxxxxxx> wrote:

I can create multiple user certificates from a CSR. Such as this

openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req

I can inspect zmiller.crt. But how exactly do I use zmiller.crtÂ(its signed also)?Â

On Fri, Aug 9, 2024 at 1:56âPM Rita <rmorgan466@xxxxxxxxx> wrote:
I am not following how a user can use their certificate. There is only 1 certificate for the pool. According to the tutorial (https://research.cs.wisc.edu/htcondor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf), there is only 1 certificate.Â

On Fri, Aug 9, 2024 at 1:53âPM Rita <rmorgan466@xxxxxxxxx> wrote:
In your example, you have onlyÂone user (jfrey). Do you have an example with multiple users?Â

On Fri, Aug 9, 2024 at 10:58âAM Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
The mapfile is how you tell HTCondor what user each SSL certificate should be mapped to. It can't define a $REMOTE_USER variable, as it doesnât have any information to determine a value.

You will probably have to add an entry in the mapfile for each userâs SSL certificate, providing the os account that certificate should be mapped to. Hereâs an example:

SSL "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=jafrey/CN=647245/CN=James Freyâ jfrey

If your usersâ SSL DNs contain the os account name (e.g. if the DN include the userâs email address for your organization), you can use regular _expression_ rules to extract that and derive the os account name.

Â- Jaime

> On Aug 9, 2024, at 8:15âAM, Rita <rmorgan466@xxxxxxxxx> wrote:
>
> I have a mapfile which is using SSL. I have 30 odd users. At the moment, I have
> SSL (.*)Â usera
>
> All jobs are going in as usera which isn't correct. Is it possible to pass
> SSL (*.) $REMOTE_USER
>
> or something like that?





--
--- Get your facts first, then you can distort them as you please.--


--
--- Get your facts first, then you can distort them as you please.--



--
--- Get your facts first, then you can distort them as you please.--