Not fully verified yet (and not just the flocking part).
central-manager.config
use security : strong
# (This section seems like it should be use security : user_based,
# but that has host names all over it.)
ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*
# Flocking (completely untested, from use security: user_based).
# Should the first entry be $(ALLOW_NEGOTIATOR)?
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
CONDOR_HOST = <this machine's external IP address>
# central manager -specific bits
use role : CentralManager
# Allow IDTOKENS' promiscuous mode to work. Enable ANONYMOUS for DAEMON (token autorequest requires
# authentication, probably to secure the channel) and for READ (for condor_status, because we required
# all connections to be authenticated by enabling strong security).
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
# Authenticate the ANONYMOUS daemon, but do NOT authorize it. Since ALLOW_READ is already *, we don't
# need to repeat this for READ.
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*
submit.config
use security : strong
ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
use role : submit
# For admin and to set COLLECTOR_HOST.
CONDOR_HOST = 18.235.233.46
# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)
# For promiscuous mode (and condor_status and condor_q). Do NOT put
# ANONYMOUS first, since it always succeeds but we need a real user ID
# for condor_q.
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
execute.config
use security : strong
ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*
ALLOW_NEGOTIATOR_SCHEDD = condor@* $(FLOCK_NEGOTIATOR_HOSTS)
ALLOW_WRITE_COLLECTOR=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_WRITE_STARTD=$(ALLOW_WRITE) $(FLOCK_FROM)
ALLOW_READ_COLLECTOR=$(ALLOW_READ) $(FLOCK_FROM)
ALLOW_READ_STARTD=$(ALLOW_READ) $(FLOCK_FROM)
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS
CONDOR_HOST = 18.235.233.46
use role : execute
# For promiscuous mode (and condor_status and condor_q, not that anyone
# should ever run those on the execute node).
SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS