Re: [HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

[Jaime Frey <jfrey@xxxxxxxxxxx>]

I have a question about your configuration. In older versions (prior to 23.9.6), when using PASSWORD authentication, the authenticated identity should be condor_pool@$(UID_DOMAIN), which I donât see in your ALLOW rules. So Iâm surprised that this configuration worked with 10.0.x.

 - Jaime

On Jan 7, 2025, at 12:38âPM, Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

You are correct. We didnât fully appreciate how this change could disrupt older configurations that arenât just using the out-of-the-box authorization settings.

I will add this to the release notes (particularly the upgrade gotchas session). And Iâll look into anything we can add in the next release to not break configurations such as yours.

 - Jaime

On Jan 7, 2025, at 5:13âAM, Thomas Birkett - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

Hi all,

 

I found the change:https://github.com/htcondor/htcondor/commit/080deaaa16e74e727a9f62f541038ae16b450e6e

 

This does state the new ID of `condor@password`. I see that this change is mentioned in the change-log of Condor 23.0.6 (https://htcondor.readthedocs.io/en/latest/version-history/feature-versions-23-x.html#version-23-9-6) however itâs not evident that this impacts the `UID-DOMAIN` of this user and the associated ticket for the change (https://opensciencegrid.atlassian.net/browse/HTCONDOR-2486) doesnât state the now hard coded value of `password` as the UID-DOMAIN. 

 

As this is quite a major change to the authentication model of environments upgrading from older versions, may I request the requirement for the user `condor@password` be made clearer in the changelog.

 

Many thanks,

 

Tom

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Todd L Miller via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Date: Monday, 6 January 2025 at 19:19
To: Thomas Birkett - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Cc: Todd L Miller <tlmiller@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

> I assumed the domain was derived from the `TRUST_DOMAIN` ClassAd which
> is set to `gridpp.rl.ac.uk`. Is this new format of `condor@password` 
> expected?

         This may be related to HTCONDOR-2486, where we changed the default 
user ID for the PASSWORD method from `condor_pool` to `condor`, but I'm 
not sure why your old config worked, so I'm clearly missing something. 
(You don't appear to allow `condor_password` to write master ads to the 
collector.)

-- ToddM
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/