Page History
- 2021-Feb-08 17:28 tlmiller
- 2021-Feb-08 17:28 tlmiller
- 2021-Feb-02 17:19 tlmiller
- 2021-Feb-02 16:10 tlmiller
- 2021-Feb-02 16:09 tlmiller
{file central-manager.config} use security : strong
# (This section seems like it should be use security : user_based, # but that has host names all over it.)
ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@*
# Flocking (completely untested). # Should the first entry be $(ALLOW_NEGOTIATOR)? ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
# Enable IDTOKENS (for daemons) and FS (for users). SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
CONDOR_HOST = <this machine's external IP address>
# central manager -specific bits use role : CentralManager
# Allow IDTOKENS' promiscuous mode to work. Enable ANONYMOUS for DAEMON (token autorequest requires # authentication, probably to secure the channel) and for READ (for condor_status, because we required # all connections to be authenticated by enabling strong security). COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS # Authenticate the ANONYMOUS daemon, but do NOT authorize it. Since ALLOW_READ is already , we don't # need to repeat this for READ. COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/ {endfile}
{file submit.config} use security : strong
ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@*
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
use role : submit
# For admin and to set COLLECTOR_HOST. CONDOR_HOST = 18.235.233.46
# Allow any local user to submit jobs. ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)
# For promiscuous mode (and condor_status and condor_q). SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS {endfile}
{file execute.config} use security : strong
ALLOW_ADMINISTRATOR = condor@* ALLOW_OWNER = condor@* ALLOW_READ = * ALLOW_WRITE = condor@* ALLOW_DAEMON = condor@* ALLOW_NEGOTIATOR = condor@*
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS) ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM) ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM) ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
CONDOR_HOST = 18.235.233.46
use role : execute
# For promiscuous mode (and condor_status and condor_q, not that anyone # should ever run those on the execute node). SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS {endfile}