Later versions of Condor should remove all of these limitations. -*: Authentication is not supported. _This is extremely insecure_. + *: Microsoft Windows is not supported. *: Mixed IPv4/IPv6 pools are not supported. *: You must use NO_DNS=TRUE, with all of those ramifications. +*: Security policies cannot use IP addresses, only hostnames. *: You must set NETWORK_INTERFACE to a specific IPv6 address. {section: Notes} -*:In places where Condor is expecting an IP address and a port (e.g. "192.168.0.1:9618"), IPv6 addresses must be wrapped in [square brackets] (e.g. "[fe80::862b:2bff:fe98:65f2]:9618"). +*:In places where Condor is expecting an IP address and a port (e.g. "192.168.0.1:9618"), IPv6 addresses are wrapped in [square brackets] (e.g. "[fe80::862b:2bff:fe98:65f2]:9618"). +*:When using NO_DNS, IPv6 addresses are turned into hostnames by taking the IPv6 address, changing colons to dashes, and appending DEFAULT_DOMAIN_NAME. So 2607:f388:1086:0:21b:24ff:fedf:b520 becomes 2607-f388-1086-0-21b-24ff-fedf-b520.example.com (assuming DEFAULT_DOMAIN_NAME=example.com) {section: Enabling IPv6} {code} NO_DNS = TRUE -# NO_DNS requires a default domain name. NO_DNS -# creates artificial hostnames similar to -# 2607-f388-1086-0-21e-68ff-fe0f-6462.example.com -# where the first portion is the computer's IPv6 address -# with dashes replacing the colons. The second part -# is the DEFAULT_DOMAIN_NAME. +# NO_DNS requires a default domain name. DEFAULT_DOMAIN_NAME = example.com ENABLE_IPV6 = TRUE @@ -36,21 +33,14 @@ # This is the NO_DNS style name for the central manager COLLECTOR_HOST = 2607-f388-1086-0-21e-68ff-fe0f-6462.example.com -ALLOW_READ=* -ALLOW_WRITE=* -ALLOW_ADMINISTRATOR=* -ALLOW_CONFIG=* -ALLOW_SOAP=* -ALLOW_OWNER=* -ALLOW_NEGOTIATOR=* -ALLOW_DAEMON=* +# This is example security configuration for a pool of three hosts. +ALL_NODES_IN_POOL= 2607-f388-1086-0-21b-24ff-fedf-b520.example.com,2607-f388-1086-0-21e-68ff-fe0f-6462.example.com,2607-f388-1086-0-21e-68ff-fe1e-f9e.example.com +ALLOW_WRITE = $(ALL_NODES_IN_POOL) +ALLOW_READ = $(ALL_NODES_IN_POOL) +ALLOW_ADMINISTRATOR = $(COLLECTOR_HOST) +ALLOW_CONFIG = +ALLOW_SOAP = +ALLOW_OWNER = $(COLLECTOR_HOST),$(HOSTNAME) +ALLOW_NEGOTIATOR= $(COLLECTOR_HOST) +ALLOW_DAEMON= $(ALL_NODES_IN_POOL) {endcode} - -NETWORK_INTERFACE is required; used for detection of scope ids. - - - -{section: To Do} - -*: Is the changing meaning of $(HOSTNAME) with NO_DNS even present in IPv4? File as a bug. -*: Investigate authentication not working