Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

Hi Jaime,

 

Apologies about the confusion, the allow rules were in another config file and when I did my `condor_config_val -summary` I omitted the file with that config. Once again, I apologise about the confusion! Condor24 is now working well.

 

Many thanks,

 

Tom

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Date: Tuesday, 7 January 2025 at 19:07
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Jaime Frey <jfrey@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

I have a question about your configuration. In older versions (prior to 23.9.6), when using PASSWORD authentication, the authenticated identity should be condor_pool@$(UID_DOMAIN), which I donât see in your ALLOW rules. So Iâm surprised that this configuration worked with 10.0.x.

 

 - Jaime



On Jan 7, 2025, at 12:38âPM, Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

 

You are correct. We didnât fully appreciate how this change could disrupt older configurations that arenât just using the out-of-the-box authorization settings.

I will add this to the release notes (particularly the upgrade gotchas session). And Iâll look into anything we can add in the next release to not break configurations such as yours.

 

 - Jaime



On Jan 7, 2025, at 5:13âAM, Thomas Birkett - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

 

Hi all,

 

 

This does state the new ID of `condor@password`. I see that this change is mentioned in the change-log of Condor 23.0.6 (https://htcondor.readthedocs.io/en/latest/version-history/feature-versions-23-x.html#version-23-9-6) however itâs not evident that this impacts the `UID-DOMAIN` of this user and the associated ticket for the change (https://opensciencegrid.atlassian.net/browse/HTCONDOR-2486) doesnât state the now hard coded value of `password` as the UID-DOMAIN. 

 

As this is quite a major change to the authentication model of environments upgrading from older versions, may I request the requirement for the user `condor@password` be made clearer in the changelog.

 

Many thanks,

 

Tom

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Todd L Miller via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Date: Monday, 6 January 2025 at 19:19
To: Thomas Birkett - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Cc: Todd L Miller <tlmiller@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] HTCondor 24 SECMAN Password/Token oddity

> I assumed the domain was derived from the `TRUST_DOMAIN` ClassAd which
> is set to `gridpp.rl.ac.uk`. Is this new format of `condor@password` 
> expected?

         This may be related to HTCONDOR-2486, where we changed the default 
user ID for the PASSWORD method from `condor_pool` to `condor`, but I'm 
not sure why your old config worked, so I'm clearly missing something. 
(You don't appear to allow `condor_password` to write master ads to the 
collector.)

-- ToddM
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

 

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/