Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] ALLOW_ question and upgrade

Yes, I trust my firewall. We are on a local network for our lab.Â
I have been following,Âhttps://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677971/HTCondor-Security-Overview.pdf. And it seems they have ALLOW_WRITE = * and same goes for ALLOW_READ = *Â
For now, I don't care too much about security. Then eventually I will prune it down. Is there a better PDF / Document I can follow to set this up? I feel the documentation is too sparse on this topic

On Thu, Jul 25, 2024 at 12:15âPM John M Knoeller via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
Sorry, you cannot just use ALLOW = *. The HTCondor security layer would not understand it. What you have here

ALLOW_READ = *Â
ALLOW_DAEMON = $(CONDOR_HOST), submit*.wisc.edu, worker*.wisc.edu
ALLOW_NEGOTIATOR = $(CONDOR_HOST)Â
ALLOW_ADMINISTRATOR = $(CONDOR_HOST)Â

I probably the minimum number of allow statements that you can get away with for the central manager.Â

The AP (schedd), will also need

ALLOW_WRITE = ??

where ?? is a pattern that matches what users are allowed to submit jobs. ÂIf you trust your firewalls
then ALLOW_WRITE = * should be fine here. Â

Otherwise it should be a pattern that matches valid usernames like.ÂÂ

ALLOW_WRITE = *@$(UID_DOMAIN)


-tj

From:ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Rita <rmorgan466@xxxxxxxxx>
Sent:ÂThursday, July 25, 2024 9:43 AM
To:ÂHTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject:Â[HTCondor-users] ALLOW_ question and upgrade
Â
We recently upgraded to 10.x series of Condor. We want to secure it but also add additionalÂfunctionalityÂfor users.Â

My question is,Â
CONDOR_HOST = my-central-manager.wisc.eduÂ
ALLOW_READ = *Â
ALLOW_DAEMON = $(CONDOR_HOST), submit*.wisc.edu, worker*.wisc.eduÂALLOW_NEGOTIATOR = $(CONDOR_HOST)Â
ALLOW_ADMINISTRATOR = $(CONDOR_HOST)Â

Do I need all these parameters? Can I just say ALLOW = * ?Â

Second,Â
I want remote submissions. So, from a host which has condor binaries, I would like to submit jobs like this. condor_submit -sched hostK1. Where hostK1 has schedd running.


--
--- Get your facts first, then you can distort them as you please.--
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


--
--- Get your facts first, then you can distort them as you please.--