Re: [HTCondor-users] ALLOW_ question and upgrade

[John M Knoeller <johnkn@xxxxxxxxxxx>]

Sorry, you cannot just use ALLOW = *.  The HTCondor security layer would not understand it.  What you have here

ALLOW_READ = * 

ALLOW_DAEMON = $(CONDOR_HOST), submit*.wisc.edu, worker*.wisc.edu
ALLOW_NEGOTIATOR = $(CONDOR_HOST) 

ALLOW_ADMINISTRATOR = $(CONDOR_HOST) 

I probably the minimum number of allow statements that you can get away with for the central manager. 

The AP (schedd),  will also need

ALLOW_WRITE = ??

where ?? is a pattern that matches what users are allowed to submit jobs.   If you trust your firewalls

then ALLOW_WRITE = * should be fine here.   

Otherwise it should be a pattern that matches valid usernames like.  

ALLOW_WRITE = *@$(UID_DOMAIN)

-tj

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Rita <rmorgan466@xxxxxxxxx>
Sent: Thursday, July 25, 2024 9:43 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>

Subject: [HTCondor-users] ALLOW_ question and upgrade

 

We recently upgraded to 10.x series of Condor.  We want to secure it but also add additional functionality for users. 

My question is, 

CONDOR_HOST = my-central-manager.wisc.edu 

ALLOW_READ = * 

ALLOW_DAEMON = $(CONDOR_HOST), submit*.wisc.edu, worker*.wisc.edu ALLOW_NEGOTIATOR = $(CONDOR_HOST) 

ALLOW_ADMINISTRATOR = $(CONDOR_HOST) 

Do I need all these parameters? Can I just say ALLOW = * ? 

Second, 

I want remote submissions. So, from a host which has condor binaries, I would like to submit jobs like this. condor_submit -sched hostK1. Where hostK1 has schedd running.

--

--- Get your facts first, then you can distort them as you please.--