HTCondorWiki: How To Use Idtokens

-Not fully verified yet (and not just the flocking part).
+Not fully verified yet.
 
 {file: central-manager.config}
 use security : strong
 
-# (This section seems like it should be use security : user_based,
-# but that has host names all over it.)
-
 ALLOW_ADMINISTRATOR = condor@*
 ALLOW_OWNER = condor@*
 ALLOW_READ = *
@@ -13,29 +10,16 @@
 ALLOW_DAEMON = condor@*
 ALLOW_NEGOTIATOR = condor@*
 
-# Flocking (completely untested, from use security: user_based).
-# Should the first entry be $(ALLOW_NEGOTIATOR)?
-ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
-ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
-ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
-
 # Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
 CONDOR_HOST = <this machine's external IP address>
 
-# central manager -specific bits
 use role : CentralManager
 
-# Allow IDTOKENS' promiscuous mode to work.  Enable ANONYMOUS for DAEMON (token autorequest requires
-# authentication, probably to secure the channel) and for READ (for condor_status, because we required
-# all connections to be authenticated by enabling strong security).
+# Enable IDTOKENS' promiscuous mode.
 COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
-# Authenticate the ANONYMOUS daemon, but do NOT authorize it.  Since ALLOW_READ is already *, we don't
-# need to repeat this for READ.
 COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
 {endfile}
 
@@ -49,25 +33,17 @@
 ALLOW_DAEMON = condor@*
 ALLOW_NEGOTIATOR = condor@*
 
-ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
-ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
-ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
-
+# Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
-use role : submit
+CONDOR_HOST = <central manager's external IP address>
 
-# For admin and to set COLLECTOR_HOST.
-CONDOR_HOST = 18.235.233.46
+use role : submit
 
 # Allow any local user to submit jobs.
 ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)
 
-# For promiscuous mode (and condor_status and condor_q).  Do NOT put
-# ANONYMOUS first, since it always succeeds but we need a real user ID
-# for condor_q.
+# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
 SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 {endfile}
@@ -82,20 +58,14 @@
 ALLOW_DAEMON = condor@*
 ALLOW_NEGOTIATOR = condor@*
 
-ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
-ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
-ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
-ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
-
+# Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
-CONDOR_HOST = 18.235.233.46
+CONDOR_HOST = <central manager's external IP address>
 
 use role : execute
 
-# For promiscuous mode (and condor_status and condor_q, not that anyone
-# should ever run those on the execute node).
+# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
 SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 {endfile}