Condor Authentication
From Ben's Writing
Contents |
Configuring a Windows credd
Adapted from Greg Quinn's "Condor Week 2007" Presentation
The condor-reuse-slotN accounts are local accounts without network privileges. To access files on a network share, the job needs to run using an account that has access to the shared network resources. Using a credd, its possible to have jobs run with the credentials of the submitting user.
Setting the Pool Password
- In your
condor_config, enable config access from the machine that you will runcondor_store_cred:
HOSTALLOW_CONFIG = $(HOSTALLOW_ADMINISTRATOR)
Where HOSTALLOW_ADMINISTRATOR should point to the central manager (in the case of multiple machines) or to $(FULL_HOSTNAME) (for single host configurations— usually used for testing purposes).
- If setting the password remotely, ensure the user account that runs the
condor_store_credcommand exists on every machine and has a common password. - Set the pool password on every machine (even if it is a single machine test pool):
C:\>condor_store_cred add –c –n node01.yourdomain.com
Configuring the credd Host
- Use the condor_config.local.credd example file:
C:\condor>copy etc\condor_config.local.credd .\
- Include this file as one of the local configuration files:
LOCAL_CONFIG_FILE = $(LOCAL_DIR)/condor_config.local \
$(LOCAL_DIR)/condor_config.local.credd
Running Jobs as Submitting User
Submit and execute machines need to be configured to use the credd:
CREDD_HOST = $(CONDOR_HOST) STARTER_ALLOW_RUNAS_OWNER = True SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD CREDD_CACHE_LOCALLY = True
Where NTSSPI means: use Windows Authentication. (NTSSPI is a horribly mangled and obscure acronym for "[Windows] NT Security Service Provider Interface", where the NT part is meant to represent the NT line of the Windows OS, such as Windows 2000, XP, [Advanced] Server 2003, etc.).
Example submit file:
universe = vanilla executable = whoami.exe log = whoami.log output = whoami.out run_as_owner = true queue
Where run_as_owner is the key: it ensures all jobs will be run as the submitting user. This means that the job will have access to all the files owned by the submitting user (most importantly, on the remote machines).
