Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTCondor Security Basics HTCondor Week, Madison 2016

Published byHector Weaver Modified over 5 years ago

Similar presentations

Presentation on theme: "HTCondor Security Basics HTCondor Week, Madison 2016"— Presentation transcript:

1 HTCondor Security Basics HTCondor Week, Madison 2016
Zach Miller Center for High Throughput Computing Department of Computer Sciences University of Wisconsin-Madison

2 Overview What are the threats? Who do you trust?
What are the mechanisms? Other security concerns?

3 Threats The purpose of HTCondor is to accept arbitrary code from users and run it on a large number of machines

4 Threats The purpose of HTCondor is to accept arbitrary code from users and run it on a large number of machines The purpose of a botnet is to take arbitrary code and run it on a large number of machines

5 Threats So what’s the difference?
You wish to prevent unauthorized access Ultimately, it just comes down to who can use your pool, and how they can use it.

6 Basic Concepts “Who can use your pool” is really two concepts:
The “Who” is authentication The “can use” is authorization

7 Basic Concepts Authentication is finding out WHO some entity is.
How is this done? Common methods: Present a secret that only you should know Perform some action that only you can do Present a credential that only you could have

8 Basic Concepts Authorization is deciding what someone is allowed to do. You must know who they are before you can decide this!

9 Basic Concepts I’m using “they” pretty loosely here. “They” could be:
A user A machine An agent/daemon/service

10 Basic Concepts In the context of an HTCondor pool:
You want only machines that you trust to be in the pool You want only people you trust to submit jobs

11 Assumptions of Trust HTCondor relies on trusting the “root” user of a machine If this is compromised, all bets are off HTCondor daemons trust each other You need to trust your friendly HTCondor administrator

12 Assumptions of Trust How about users?
HTCondor places some restrictions on users: zmiller cannot submit, remove, or manipulate jobs belonging to another user But ”bad” users can still cause problems Running fork bomb: while(1) { fork() } Intentionally interfering with the system

13 Assumptions of Trust So, users are trusted to some degree
Preventing every possible bad behavior makes the system too cumbersome for good users Security is always a balancing act with usability Decide how much you want to prevent versus punish

14 Restricting Users SUBMIT_REQUIREMENT allows the administrator to restrict what jobs are able to enter the queue Can be used to prevent users from lying about what groups they belong to: SUBMIT_REQUIREMENT_NAMES = GROUP1 SUBMIT_REQUIREMENT_GROUP1= (AcctGroup =!= “group1”) || (AcctGroup =?= “group1” && (Owner==“zmiller” || Owner==“tannenba”)) SUBMIT_REQUIREMENT_GROUP1_REASON=“User not in group1”

15 Restricting Users SUBMIT_REQUIREMENT allows the administrator to restrict what jobs are able to enter the queue Can be used to allow only certain executable files, number of CPUs requested for a job, anything else that is part of the Job ClassAd

16 Authentication When users submit jobs, HTCondor authenticates them
The HTCondor SCHEDD daemon now “owns” the jobs, and acts on their behalf.

17 Authentication So how can we trust the SCHEDD?
Daemon-to-daemon authentication

18 Authentication For a secure pool, both users and HTCondor daemons must authenticate themselves HTCondor supports several mechanisms: File System Password Kerberos SSL GSI

19 Other Security Mechanisms
In addition to authenticating network connections, you may also wish to use: Integrity Checks (MD5) Allows HTCondor to know if traffic has been tampered with Encryption (3DES, Blowfish) Allows HTCondor to transmit encrypted data so it cannot be spied on while in transit

20 Example “Strong” Configuration
SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = Kerberos SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED

21 Security Negotiation When first contacting each other, HTCondor daemons have a short negotiation to find out which mechanisms are support and what features are required for the connection server client I want to submit a job You must authenticate w/ kerberos KERBEROS normal submit protocol

22 Security Negotiation Policy Reconciliation Example: CLIENT POLICY
SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONAL SEC_DEFAULT_AUTHENTICATION = OPTIONAL SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD SERVER POLICY SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = SSL RECONCILED POLICY ENCRYPTION = YES INTEGRITY = YES AUTHENTICATION = YES METHODS = SSL

23 Security Configuration
I’m going to skip the detailed configuration of each particular security mechanism. Security is not one-size fits all If you are interested in details, please schedule some “office hours” with me to discuss.

24 Configuration Security
Are your condor_config files secured? They should be owned and only modifiable by root. If you use a config directory, make sure only root can create files in it

25 Configuration Security
HTCondor can allow configuration changes using a command-line tool: condor_config_val –set Name Value However, this behavior is off by default and needs to be enabled on a case-by-case basis for each config parameter… use carefully only if you really need it

26 HTCondor Privilege HTCondor typically runs “as root” Why?
Impersonating users Process isolation Reading secure credentials When it isn’t actively using root, it switches effective UID to another user (“condor”)

27 HTCondor Privilege HTCondor will never launch a user job as root. There is a “circuit breaker” at the lowest level to prevent it. If not using system credentials, the Central Manager can run without root priv Let’s examine some different Startd configurations

28 StartD Configurations
Startds have a few different options for running jobs: Run jobs as the submitting user Run jobs as the user “nobody” Allows jobs to interfere with one another Run jobs as a dedicated user per slot Keeps jobs running as a low-privilege user Isolates jobs from one another Makes it easy to clean up after a job

29 glexec Allows HTCondor daemons to be run without root privilege, yet running jobs can still assume the UID of the submitting user Uses GSI credentials to authenticate Very useful for glidein jobs

30 Encrypted File Transfer
Even if that admin has not required encryption for all network connections, user jobs can specify per-file for both input and output if the files should be encrypted: Encrypt_Input_Files = file1, *.dat Encrypt_Output_Files = data.private

31 Encrypt Execute Directory
If you are using Linux with ecryptfs installed, you can have HTCondor encrypt the execute directory on disk, offering extra protection of sensitive data. Can be enabled pool-wide by the admin: ENCRYPT_EXECUTE_DIRECTORY = True Per-job in the submit file: Encrypt_Execute_Directory = True

32 Vulnerabilities HTCondor has been assessed by an independent research group. That was many years ago. Another audit will be coming “soon” Our vulnerability reporting process is documented and vulnerability reports publicly available:

33 Questions? Schedule “office hours” this week
the htcondor-users mailing list and if your question is security related I will (likely) respond me directly

Download ppt "HTCondor Security Basics HTCondor Week, Madison 2016"

Similar presentations

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.

Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
Operating System Security

Operating System Security
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.

Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
With TimeCard appointments are tagged with information that converts them into time sheets. This way users can report time and expenses from their Outlook.

With TimeCard appointments are tagged with information that converts them into time sheets. This way users can report time and expenses from their Outlook.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license

HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license
Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Similar presentations

Ads by Google