Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Condor 23.10.1 compatibility problem with Conda
- Date: Fri, 25 Oct 2024 13:24:10 +0000
- From: Jaime Frey <jfrey@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Condor 23.10.1 compatibility problem with Conda
The new and legacy security meta-knobs both enable stronger security than not setting a security meta-knob. The main difference between the two is that the new knob allows READ-level commands to be performed without authentication but with encryption and integrity. The old knob tried to allow unauthenticated READ commands, but was incomplete in that regard.
For HTCondor 24.0, weâll be changing the 00-security configuration file to the following:
if version >= 23.10.0
use security:recommended
else
use security:recommended_v9_0
endif
This will allow newer binaries to use the new meta-knob and older binaries (like user-installed python bindings) to use the old meta-knob.
You can expand a meta-knob with this command: condor_config_val use security:recommended
Some meta-knobs reference other meta-knobs. To get a full expansion, you can create a configuration file with just that knob set, then run condor_config_val -summary on that file:
% echo 'use security:recommended' >config.example
% condor_config_val -root-config config.example -summary
- Jaime
> On Oct 24, 2024, at 3:49âPM, Anderson, Stuart B. <sba@xxxxxxxxxxx> wrote:
>
> Jaime, thank you for the detailed explanation.
>
> Please confirm (or correct) my understnading that setting a 23.10.x (or 24.y.z) AP to use the legacy setting security:recommended_v9_0 will provide secure connections from applications connection to daemons via older Python bindings, and will in no way degrade daemon-to-daemon security relative to the same AP running without a security metaknob setting?
>
> More generally, how can I expand the âuse security:recommendedâ metaknob to find out the list individual security settings it represents?
>
> Thanks.
>
>
>> On Oct 24, 2024, at 11:22âAM, Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
>>
>> âuse security:recommendedâ is a new meta-knob introduced in 23.10.0. It replaces the previous meta-knob âuse security:recommended_v9_0â. If youâre not running any daemons using these configuration files, then the only impact is that your python bindings and command-line tools will not insist on any authentication, encryption, or integrity when communicating with daemons. Any reasonably-configured daemons will insist on using some of these, which will still work.
>>
>> If you are running daemons using these configuration files, then you will not get any default authorization rules. If youâre not setting the ALLOW_XXXX config parameters yourself, then the daemons wonât accept any connections.
>>
>> The issue not compatibility with Conda python bindings, but compatibility with bindings using HTCondor versions older than 23.10.0. We had not sufficiently considered the case of a new HTCondor OS package and old user-installed bindings when adding the new meta-knob to the default configuration files. We are looking at changing the default configuration to avoid this problem for the 24.0 release.
>>
>> - Jaime
>
>
> â
> Stuart Anderson
> sba@xxxxxxxxxxx
>
>
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/