Not fully verified yet (and not just the flocking part). {file central-manager.config} use security : strong # (This section seems like it should be use security : user_based, # but that has host names all over it.) ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@* # Flocking (completely untested). # Should the first entry be $(ALLOW_NEGOTIATOR)? ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM) # Enable IDTOKENS (for daemons) and FS (for users). SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS CONDOR_HOST = # central manager -specific bits use role : CentralManager # Allow IDTOKENS' promiscuous mode to work. Enable ANONYMOUS for DAEMON (token autorequest requires # authentication, probably to secure the channel) and for READ (for condor_status, because we required # all connections to be authenticated by enabling strong security). COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS # Authenticate the ANONYMOUS daemon, but do NOT authorize it. Since ALLOW_READ is already *, we don't # need to repeat this for READ. COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/* {endfile} {file submit.config} use security : strong ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@* ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM) SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS use role : submit # For admin and to set COLLECTOR_HOST. CONDOR_HOST = 18.235.233.46 # Allow any local user to submit jobs. ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME) # For promiscuous mode (and condor_status and condor_q). SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS {endfile} {file execute.config} use security : strong ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@* ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM) SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS CONDOR_HOST = 18.235.233.46 use role : execute # For promiscuous mode (and condor_status and condor_q, not that anyone # should ever run those on the execute node). SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS {endfile}