Page History

Turn Off History

Not fully verified yet (and not just the flocking part). 

central-manager.config
use security : strong

# (This section seems like it should be use security : user_based,
# but that has host names all over it.)

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Flocking (completely untested, from use security: user_based).
# Should the first entry be $(ALLOW_NEGOTIATOR)?
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

CONDOR_HOST = <this machine's external IP address>

# central manager -specific bits
use role : CentralManager

# Allow IDTOKENS' promiscuous mode to work.  Enable ANONYMOUS for DAEMON (token autorequest requires
# authentication, probably to secure the channel) and for READ (for condor_status, because we required
# all connections to be authenticated by enabling strong security).
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
# Authenticate the ANONYMOUS daemon, but do NOT authorize it.  Since ALLOW_READ is already *, we don't
# need to repeat this for READ.
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*


submit.config
use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)

SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : submit

# For admin and to set COLLECTOR_HOST.
CONDOR_HOST = 18.235.233.46

# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)

# For promiscuous mode (and condor_status and condor_q).  Do NOT put
# ANONYMOUS first, since it always succeeds but we need a real user ID
# for condor_q.
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS


execute.config
use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)

SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

CONDOR_HOST = 18.235.233.46

use role : execute

# For promiscuous mode (and condor_status and condor_q, not that anyone
# should ever run those on the execute node).
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS