Page History
- 2021-Mar-24 17:32 zmiller
- 2021-Mar-24 16:56 zmiller
- 2021-Mar-24 16:53 zmiller
How to enable IDTOKENS authentication in HTCondor 8.9.12 and later
If would like to enable a simple method for authenticating daemon-to-daemon communication, IDTOKENS is relatively straightforward. Upon setting up IDTOKENS authentication, your HTCondor daemons will only trust other HTCondor daemons that are able to read a secret signing key that is stored on on each machine in a file that is readable only by the system. This will effectively prevent unauthorized machines from joining your pool, and also prevent users from starting their own HTCondor daemons on machines authorized with host-based (IP address) authentication.
(LINUX NOTE: you may need to tell HTCondor where to store the signing key. If you installed from an RPM, /etc/condor/passwords.d should already exist. Otherwise, you can create it as root and set the permissions to 0755.)
(WINDOWS NOTE: In the config settings below, change FS to NTSSPI)
INSTRUCTIONS FOR ALL PLATFORMS: Add the following lines to enable the IDTOKENS method in the condor_config file:
SEC_DAEMON_INTEGRITY = REQUIRED SEC_DAEMON_AUTHENTICATION = REQUIRED SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD SEC_NEGOTIATOR_INTEGRITY = REQUIRED SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED SEC_NEGOTIATOR_AUTHENTICATION_METHODS = IDTOKENS SEC_CLIENT_AUTHENTICATION_METHODS = FS, IDTOKENS ALLOW_DAEMON = condor_pool@*
NOTE: If you have configured any other authentication methods, make sure to keep them in the list of CLIENT methods.
Then, on each machine in your pool, run this command as root:
condor_store_cred -c add
-p on the command line to avoid prompting. On Linux machines, can simply copy the file /etc/condor/passwords.d/POOL to all machines once have set it. If you do so, make sure to verify the permissions (0600) and ownership (root).
If your HTCondor daemons were already running when you made these changes, don't forget to reconfigure your pool to have the new settings take effect:
condor_reconfig -all