HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a...
Transcript of HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a...
![Page 1: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/1.jpg)
HTCondor
Security
Mechanisms
Overview
“Padlock” by Peter Ford © 2005
Licensed under the Creative Commons Attribution 2.0 license
http://www.flickr.com/photos/peterf/72583027/
http://www.webcitation.org/5XIiBcsUg
![Page 2: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/2.jpg)
2
HTCondor Security
› Allows authentication of
users and daemons
› Encryption over the
network
› Integrity checking over
the network
“locks-masterlocks.jpg” by Brian De Smet, © 2005 Used with permission. http://www.fief.org/sysadmin/blosxom.cgi/2005/07/21#locks
![Page 3: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/3.jpg)
3
Authorization
› HTCondor users ALLOW / DENY lists to
control authorization
› There are different levels of access in
HTCondor, and each can have a separate
authorization list and security policy.
![Page 4: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/4.jpg)
4
Authorization
› Possible values for authorization levels: CLIENT
READ
WRITE
CONFIG
ADMINISTRATOR
OWNER
DAEMON
NEGOTIATOR
![Page 5: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/5.jpg)
5
Authorization Levels
› READ
querying information
condor_status, condor_q, etc
› WRITE
updating information
condor_submit, adding nodes to a pool, sending ClassAds to the collector, etc
Includes READ
![Page 6: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/6.jpg)
6
Authorization Levels
› ADMINISTRATOR
Administrative commands
condor_on, condor_off,
condor_reconfig, condor_restart, etc.
Includes READ and WRITE
![Page 7: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/7.jpg)
7
Authorization Levels
› DAEMON
Daemon to daemon communications
Includes READ and WRITE
› NEGOTIATOR
condor_negotiator to other daemons
Includes READ
![Page 8: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/8.jpg)
8
Authorization
The full hierarchy of authorization levels:
READ
WRITE
DAEMON ADMINISTRATOR
CONFIG OWNER
CLIENT
NEGOTIATOR
![Page 9: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/9.jpg)
9
Authorization
› There is a separate ALLOW / DENY list for each
authorization level.
› DENY takes preference over ALLOW
ALLOW_READ = *
ALLOW_WRITE = *.cs.wisc.edu
DENY_WRITE = zeroday.cs.wisc.edu
ALLOW_ADMINISTRATOR = condor.cs.wisc.edu
![Page 10: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/10.jpg)
10
Host-based Authorization
› More Examples:
ALLOW_WRITE = *
ALLOW_WRITE = goose.cs.wisc.edu
ALLOW_WRITE = *.cs.wisc.edu
ALLOW_WRITE = 128.105.*
ALLOW_WRITE = 128.105.0.0/16
![Page 11: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/11.jpg)
11
Host-based Authorization
› Each entry is a comma-separated list.
› Wildcards are allowed only at the beginning of hostnames or at the end of IP addresses.
› Subnets are supported using a / and number of significant bits.
HOSTALLOW_WRITE = *.cs.wisc.edu, *.engr.wisc.edu
HOSTALLOW_WRITE = 128.105.*, *.engr.wisc.edu, 128.105.64.0/18
![Page 12: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/12.jpg)
12
Host-based Authorization
› This is the default setup, which has some
shortcomings but is easy to configure.
› Allows you to specify capabilities by
hostname, IP address, and/or subnet.
![Page 13: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/13.jpg)
13
Problems With Default Installation
› Host-based granularity is too big
Any user who can login to central manager has
“Administrator” privileges HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)
Any user on an execute machine can evict the
job on that machine via condor_vacate HOSTALLOW_OWNER = $(FULL_HOSTNAME)
![Page 14: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/14.jpg)
14
Problems With Default Installation
› Most connections are NOT authenticated
Queue management commands (condor_submit,
condor_hold, etc.) are because Condor explicitly forces
authentication.
Daemon-to-daemon commands are not.
It is possible to send false information to the collector
and other denials of service
![Page 15: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/15.jpg)
15
Problems With Default Installation
› Traffic is not encrypted or checked for
integrity.
Possibility of someone eavesdropping on your
traffic, including files transferred to or from
execute machine
Possibility of someone modifying your traffic
without detection
![Page 16: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/16.jpg)
16
Security Policy Configuration
› Condor provides many mechanisms to
address the previous shortcomings:
Many authentication methods
Strong encryption
Signed checksums for integrity
![Page 17: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/17.jpg)
17
Security Policy Configuration
› Condor will negotiate security requirements
and supported methods
client server
I want to submit a job
You must authenticate w/ kerberos
KERBEROS
normal submit protocol
![Page 18: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/18.jpg)
18
Security Policy Configuration
Default Policy SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD #UNIX
SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD #WIN32
![Page 19: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/19.jpg)
19
Security Policy Configuration
Default Policy
Possible Policy Values NEVER do not allow this to happen
OPTIONAL do not request it, but allow it
PREFFERED request it, but do not require it
REQUIRED this is mandatory
SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD #UNIX
SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD #WIN32
![Page 20: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/20.jpg)
20
Security Policy Configuration
Y Y Y X
Y Y Y N
Y Y N N
X N N N
R P O N
Required
Preferred
Optional
Never
Client
Policy
Server Policy
Policy Reconciliation
![Page 21: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/21.jpg)
21
Security Policy Configuration
Policy Reconciliation Example
CLIENT POLICY SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD
SERVER POLICY SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL
RECONCILED POLICY ENCRYPTION = YES
INTEGRITY = YES
AUTHENTICATION = YES
METHODS = SSL
![Page 22: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/22.jpg)
22
Security Policy Configuration
Once you have authenticated users, you may
use a more fine-grained authorization list:
ALLOW_WRITE = [email protected]
ALLOW_WRITE = [email protected]/goose.cs.wisc.edu
ALLOW_WRITE = [email protected]/*.cs.wisc.edu
![Page 23: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/23.jpg)
23
Security Policy Configuration
› Format of canonical username:
user@domain/host
› One wildcard allowed in the user@domain portion, and one allowed in the host portion
› If there is no ‘/’ character, Condor will do one of two things: If there is an ‘@’ character, it is assumed to be a
username, and maps to user@domain/*
If there is no ‘@’, it is assumed to be a hostname and maps to */hostname
![Page 24: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/24.jpg)
24
Example Policies
› Allow anyone from wisc.edu:
ALLOW_READ=*.wisc.edu
› Allow any authenticated local user:
ALLOW_READ=*@wisc.edu/*.wisc.edu
› Allow specific user/machine
ALLOW_NEGOTIATOR= \
[email protected]/condor.wisc.edu
![Page 25: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/25.jpg)
25
AUTHENTICATION_METHODS
› How to authenticate users and daemons?
NTSSPI – Microsoft Windows
FS – (UNIX) Local file system
FS_REMOTE – (UNIX) Network file system
CLAIMTOBE – Insecure, for testing
ANONYMOUS – Insecure
PASSWORD – Shared secret
SSL – Public key encryption
Kerberos – Requires existing KDC setup
GSI – Globus/Grid Security Infrastructure
![Page 26: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/26.jpg)
26
NTSSPI
Microsoft Windows › Only works on Windows
› Password must be the same on both
systems
› No configuration required
![Page 27: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/27.jpg)
27
FS: File System
› Checks that the user can create a
directory owned by the user.
Only works on local
machine (uses /tmp)
Assumes filesystem
is trustworthy
› No configuration required
“Hard drive” by Robbie Sproule © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/robbie1/73032053/ http://www.webcitation.org/5XQVcvsyYs
![Page 28: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/28.jpg)
28
FS_REMOTE
› Checks that the user can create a
directory owned by the user on a shared
filesystem
Works across machines
Assumes filesystem
is trustworthy!!! THIS IS
NOT ALWAYS TRUE!
Target directory must be
properly configured. “Hard drive” by Robbie Sproule © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/robbie1/73032053/ http://www.webcitation.org/5XQVcvsyYs
![Page 29: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/29.jpg)
29
CLAIMTOBE
› CLAIMTOBE - Just what it sounds like
Allows client to send any ID
Very insecure
Useful for testing
![Page 30: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/30.jpg)
30
PASSWORD
› Shared secret
› Only suitable for daemon-to-daemon
communications, not for authenticating end
users
› Always authenticates as principle
“condor_pool@$(UID_DOMAIN)”
› Simple
› Works on both UNIX (using filesystem
protection) and Windows (using secure
registry storage)
![Page 31: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/31.jpg)
31
SSL
› Public key encryption system
› Daemons and users have X.509 certificates
› Flexible – all Condor daemons in pool can
share one certificate, or use one cert per host.
› Map file transforms X.509 distinguished name
into an identity (see later slides on mapping)
![Page 32: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/32.jpg)
32
Kerberos
and GSI
› Complex to set up
› Useful if you already
use one of these
systems
› The most secure
methods HTCondor
provides (along with
SSL) “two locks and a seed” by “Darwin Bell” © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/darwinbell/321434315/ http://www.webcitation.org/5XQW02h8V
![Page 33: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/33.jpg)
33
Security Policy Configuration
› Map file controls how credentials are mapped to HTCondor user principals.
› In your condor_config:
CERTIFICATE_MAPFILE = /path/to/mapfile
› Each line is a mapping rule.
› Each rule has three fields:
method regex mapped_name
(any field with spaces should be quoted)
![Page 34: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/34.jpg)
34
Security Policy Configuration
› Some example map file entries:
(These should be one line, they are split here)
SSL
“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer
Sciences Department/OU=Condor Project/CN=Zach Miller/[email protected]”
SSL
“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer
Sciences Department/OU=Condor Project/CN=Todd Tannenbaum/[email protected]”
Etc.
![Page 35: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/35.jpg)
35
Security Policy Configuration
› Example with Regular Expression:
RegEx matches and sub-matches can be
referenced using \1, \2, etc.
The map file gives you a canonical name from
the authenticated user:
SSL Email=(.*) \1
“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin –
Madison/O=Computer Sciences Department/OU=Condor Project
/CN=Zach Miller/[email protected]”
![Page 36: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/36.jpg)
36
Security Policy Configuration
› Default map file: (each line is <method> <regex> <mappedname>)
FS (.*) \1
FS_REMOTE (.*) \1
GSI (.*) GSS_ASSIST_GRIDMAP (Special Token to call Globus)
SSL (.*) unmapped
KERBEROS (.*) \1
NTSSPI (.*) \1
CLAIMTOBE (.*) \1
ANONYMOUS (.*) CONDOR_ANONYMOUS
PASSWORD (.*) \1
![Page 37: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/37.jpg)
37
Example Security Configuration
› Let’s put it all together with an example.
› Desired policy, in English:
Authenticate, encrypt, and do integrity checks
on everything.
Use SSL authentication for daemon-to-
daemon communication
Use FS (or SSL) authentication for users so
that we don’t need to issue certs to everyone.
![Page 38: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/38.jpg)
38
condor_submit
condor_q
condor_rm
…
schedd
central
manager
startd
![Page 39: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/39.jpg)
39
Example Security Configuration
# Turn on all security options:
SEC_DEFAULT_AUTHENTICATION=REQUIRED
SEC_DEFAULT_ENCRYPTION=REQUIRED
SEC_DEFAULT_INTEGRITY=REQUIRED
![Page 40: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/40.jpg)
40
Example Security Configuration
# Specify allowed methods:
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, SSL
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
› Requires giving your daemons an X.509 certificates
› You will also need a map file for SSL distinguished
names. Let’s assume the daemon cert maps to
› Let’s also assume the admin has a cert that maps
![Page 41: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/41.jpg)
41
Example Security Configuration
ALLOW_READ = *.wisc.edu
ALLOW_WRITE= *.wisc.edu
ALLOW_ADMINISTRATOR =
[email protected]/*.wisc.edu,
$(CONDOR_HOST)
![Page 42: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/42.jpg)
42
Example Security Configuration
ALLOW_DAEMON =
[email protected]/*.wisc.edu
ALLOW_NEGOTIATOR =
[email protected]/$(CONDOR_HOST)
![Page 43: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/43.jpg)
43
Users without Certificates
› Using FS authentication these users
can submit jobs and view the queue on
the local schedd
› condor_q –analyze and
condor_status won’t work for normal
users without an X.509 certificate
Requires READ access to
condor_collector
› FS won’t work across the network!
› How to let anyone read any daemon?
![Page 44: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/44.jpg)
44
condor_submit
condor_q
condor_rm
…
schedd
central
manager
startd
![Page 45: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/45.jpg)
45
Allow Any User Read Access
› One option: Allow weak methods for READ:
SEC_READ_AUTHENTICATION_METHODS =
FS, SSL, CLAIMTOBE
SEC_CLIENT_AUTHENTICATION_METHODS =
FS, SSL, CLAIMTOBE
› Or, just don’t require authentication at all for
READ commands:
SEC_READ_AUTHENTICATION = OPTIONAL
![Page 46: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/46.jpg)
46
Example, on one page
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, SSL
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
ALLOW_READ = *.wisc.edu
ALLOW_WRITE= *.wisc.edu
ALLOW_ADMINISTRATOR = [email protected]/*.wisc.edu, \
$(CONDOR_HOST)
ALLOW_DAEMON = [email protected]/*.wisc.edu
ALLOW_NEGOTIATOR = [email protected]/$(CONDOR_HOST)
![Page 47: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/47.jpg)
47
# Require authentication, encryption, integrity
use SECURITY: Strong
# By default, must authenticate via filesystem
# or pool password
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, PASSWORD
# Allow READ level access (e.g. condor_status)
# with ANONYMOUS authentication
SEC_READ_AUTHENTICATION_METHODS = \
$(SEC_DEFAULT_AUTHENTICATION_METHODS), ANONYMOUS
# Have tools like condor_status attempt ANONYMOUS
# authentication so that condor_status will work
# from any machine in the pool.
SEC_CLIENT_AUTHENTICATION_METHODS = \
$(SEC_DEFAULT_AUTHENTICATION_METHODS), ANONYMOUS
SEC_PASSWORD_FILE = /etc/condor/poolpassword
Todd’s Shared Secret Formula
![Page 48: HTCondor Security Mechanisms Overview€¦ · 11 Host-based Authorization ›Each entry is a comma-separated list. ›Wildcards are allowed only at the beginning of hostnames or at](https://reader033.fdocuments.in/reader033/viewer/2022052805/605744168825632a35605c51/html5/thumbnails/48.jpg)
48
Conclusion
Attached to Indico is Zach’s step-by-step
securing via SSL with your own CA talk…
… but this is overly complex IMO. Plan on
adding security cut-n-paste HOWTOs on
wiki.htcondor.org… and hopefully some
simpler ‘meta-knobs’ that lean more on
convention than configuration.