How To Use Idtokens

Not logged in

• Browse
• Help
• Home
• Login
• Reports
• Search
• Timeline
• Wiki

• Contents
• No-Diff
• Text

-Not fully verified yet.
+Work in progress.
+
+Not verified yet.
+
+{Section: Enabling IDTOKENS}
+
+Is IDTOKENS in the authentication methods list by default?
+
+Is our best practice here to create =condor@$(TRUST_DOMAIN)= tokens?  =role@$(TRUST_DOMAIN)= tokens?  (There's a ticket to make the latter the default for promiscuous mode.)
+
+The key part of the configuration is the ALLOW lists, which may eventually have sane user-based defaults (if we stop shipping a config file with =use security: host_based=).
+
+Maybe what we really need is just the "upgrading from host-based to user-based security (with IDTOKENS)" page?
+
+{section: Enabling Promiscuous Mode}
+
+Enabling IDTOKENS doesn't mean you automatically start using it; you have distribute tokens first.  To make that easier, you can enable "promiscuous mode" by calling =condor_token_auto_approve=.  (See the man page for details.)  However, that doesn't work out of the box.  Add the following three lines to your configuration.
+
+{file: promiscuous-mode.config}
+# Enable IDTOKENS' promiscuous mode.
+COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
+COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
+COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
+{endfile}
+
+----
 
 {file: central-manager.config}
+CONDOR_HOST = <this machine's external IP address>
+
 use security : strong
 
 ALLOW_ADMINISTRATOR = condor@*
@@ -13,17 +40,12 @@
 # Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
-CONDOR_HOST = <this machine's external IP address>
-
 use role : CentralManager
-
-# Enable IDTOKENS' promiscuous mode.
-COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
-COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
-COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
 {endfile}
 
 {file: submit.config}
+CONDOR_HOST = <central manager's external IP address>
+
 use security : strong
 
 ALLOW_ADMINISTRATOR = condor@*
@@ -36,19 +58,15 @@
 # Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
-CONDOR_HOST = <central manager's external IP address>
-
 use role : submit
 
 # Allow any local user to submit jobs.
 ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)
-
-# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
-SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
-SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 {endfile}
 
 {file: execute.config}
+CONDOR_HOST = <central manager's external IP address>
+
 use security : strong
 
 ALLOW_ADMINISTRATOR = condor@*
@@ -61,11 +79,5 @@
 # Enable IDTOKENS (for daemons) and FS (for users).
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
 
-CONDOR_HOST = <central manager's external IP address>
-
 use role : execute
-
-# Enable IDTOKENS' promiscuous mode.  (Do ANONYMOUS last to keep `condor_q` working.)
-SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
-SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
 {endfile}

This work is supported by NSF under Cooperative Agreement OAC-2030508 as part of the PATh Project. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF. Site built using CVSTrac.