Upgrading To Eight Nine Twelve

Not logged in

• Browse
• Help
• Home
• Login
• Reports
• Search
• Timeline
• Wiki

• Contents
• No-Diff
• Text

 
 {subsection: Step 1: Required changes to security configuration}
 
-The default HTCondor security configuration is no longer host-based.  If you have not specifically configured another daemon authentication method (e.g. pool password, SSL, GSI, KRB5, etc), you will need to change your configuration.  If you have, delete =/etc/condor/config.d/00-htcondor-9.0.config=.
-
-Specifically, to allow HTCondor 9.0 to be secure by default, we have commented out the line
-
-   use security:host_based
-
-from the default =/etc/condor/condor_config=.  We have added a new configuration file, =/etc/condor/config.d/00-htcondor-9.0.config=.  (This file will not be overwritten by subsequent upgrades, so it is safe to modify.)  This file adds the line
+The default HTCondor security configuration is no longer host-based.  Specifically, to allow HTCondor 9.0 to be secure by default, we have commented out the line =use security:host_based= from the default =/etc/condor/condor_config=, and have added a new configuration file, =/etc/condor/config.d/00-htcondor-9.0.config=.  (This file will not be overwritten by subsequent upgrades, so it is safe to modify.)  This file adds the line
 
    use security:recommended_v9_0
 
-which configures user-based security and requires encryption, authentication, and integrity.
+which configures user-based security and requires encryption, authentication, and integrity. If you have already configured another daemon authentication method (e.g. pool password, SSL, GSI, KRB5, etc) at some point in the past, you can comment out the above line in file =00-htcondor-9.0.config= and skip to Step 2 below.
 
-You have three options.
+If you have not already configured some other daemon authentication method and thus are relying solely on host-based authentication (i.e. a list of allowed hostnames or IP addresses), you have three options:
 
 _: *Option A*.  Use _get_htcondor_ to reinstall your pool with a fresh installation; see the {link: https://htcondor.readthedocs.io/getting-htcondor/index.html instructions}.  The _get_htcondor_ tool will configure your pool with our recommended security configuration for you.  Once it's done, you can copy your site-specific configuration from your old installation to the new installation by placing configuration files into =/etc/condor/config.d=.
 
-_: *Option B*.  Run two commands (as root) on every machine in your pool to enable the recommended security configuration appropriate for  v8.9.12.  When prompted, type the same password for every machine.
+_: *Option B*.  Run two commands (as root) on every machine in your pool to enable the recommended security configuration appropriate for  v8.9.12.  When prompted, type the same password for every machine. (_Note:_ if typing a password is problematic, see the {link: https://htcondor.readthedocs.io/en/latest/man-pages/condor_store_cred.html condor_store_cred manual page} for other options such as reading the password from a file or command-line).
 
         # condor_store_cred -c add
         # umask 0077; condor_token_create -identity condor@mypool > /etc/condor/tokens.d/condor@mypool

This work is supported by NSF under Cooperative Agreement OAC-2030508 as part of the PATh Project. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF. Site built using CVSTrac.