Work in progress.

Not verified yet.

Enabling IDTOKENS

Is IDTOKENS in the authentication methods list by default?

Is our best practice here to create condor@$(TRUST_DOMAIN) tokens? role@$(TRUST_DOMAIN) tokens? (There's a ticket to make the latter the default for promiscuous mode.)

The key part of the configuration is the ALLOW lists, which may eventually have sane user-based defaults (if we stop shipping a config file with use security: host_based).

Maybe what we really need is just the "upgrading from host-based to user-based security (with IDTOKENS)" page?

Enabling Promiscuous Mode

Enabling IDTOKENS doesn't mean you automatically start using it; you have distribute tokens first. To make that easier, you can enable "promiscuous mode" by calling condor_token_auto_approve. (See the man page for details.) However, that doesn't work out of the box. Add the following three lines to your configuration.

promiscuous-mode.config
# Enable IDTOKENS' promiscuous mode.
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*


central-manager.config
CONDOR_HOST = <this machine's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : CentralManager

submit.config
CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : submit

# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)

execute.config
CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : execute