Work in progress.

Not verified yet.

{section: Enabling IDTOKENS}

Is IDTOKENS in the authentication methods list by default?

Is our best practice here to create =condor@$(TRUST_DOMAIN)= tokens?  =role@$(TRUST_DOMAIN)= tokens?  (There's a ticket to make the latter the default for promiscuous mode.)

The key part of the configuration is the ALLOW lists, which may eventually have sane user-based defaults (if we stop shipping a config file with =use security: host_based=).

Maybe what we really need is just the "upgrading from host-based to user-based security (with IDTOKENS)" page?

{section: Enabling Promiscuous Mode}

Enabling IDTOKENS doesn't mean you automatically start using it; you have distribute tokens first.  To make that easier, you can enable "promiscuous mode" by calling =condor_token_auto_approve=.  (See the man page for details.)  However, that doesn't work out of the box.  Add the following three lines to your configuration.

{file: promiscuous-mode.config}
# Enable IDTOKENS' promiscuous mode.
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
{endfile}

----

{file: central-manager.config}
CONDOR_HOST = <this machine's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : CentralManager
{endfile}

{file: submit.config}
CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : submit

# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)
{endfile}

{file: execute.config}
CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : execute
{endfile}