Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license

Published byElfreda Mosley Modified over 9 years ago

Similar presentations

Presentation on theme: "HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license"— Presentation transcript:

1 HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/peterf/72583027/ http://www.webcitation.org/5XIiBcsUg

2 2 HTCondor Security › Allows authentication of users and daemons › Encryption over the network › Integrity checking over the network “locks-masterlocks.jpg” by Brian De Smet, © 2005 Used with permission. http://www.fief.org/sysadmin/blosxom.cgi/2005/07/21#locks

3 3 Authorization › HTCondor users ALLOW / DENY lists to control authorization › There are different levels of access in HTCondor, and each can have a separate authorization list and security policy.

4 4 Authorization › Possible values for authorization levels:  CLIENT  READ  WRITE  CONFIG  ADMINISTRATOR  OWNER  DAEMON  NEGOTIATOR

5 5 Authorization Levels › READ  querying information  condor_status, condor_q, etc › WRITE  updating information  condor_submit, adding nodes to a pool, sending ClassAds to the collector, etc  Includes READ

6 6 Authorization Levels › ADMINISTRATOR  Administrative commands  condor_on, condor_off, condor_reconfig, condor_restart, etc.  Includes READ and WRITE

7 7 Authorization Levels › DAEMON  Daemon to daemon communications  Includes READ and WRITE › NEGOTIATOR  condor_negotiator to other daemons  Includes READ

8 8 Authorization The full hierarchy of authorization levels: READ WRITE DAEMONADMINISTRATOR CONFIG OWNER CLIENT NEGOTIATOR

9 9 Authorization › There is a separate ALLOW / DENY list for each authorization level. › DENY takes preference over ALLOW ALLOW_READ = * ALLOW_WRITE = *.cs.wisc.edu DENY_WRITE = zeroday.cs.wisc.edu ALLOW_ADMINISTRATOR = condor.cs.wisc.edu

10 10 Host-based Authorization › More Examples: ALLOW_WRITE = * ALLOW_WRITE = goose.cs.wisc.edu ALLOW_WRITE = *.cs.wisc.edu ALLOW_WRITE = 128.105.* ALLOW_WRITE = 128.105.0.0/16

11 11 Host-based Authorization › Each entry is a comma-separated list. › Wildcards are allowed only at the beginning of hostnames or at the end of IP addresses. › Subnets are supported using a / and number of significant bits. HOSTALLOW_WRITE = *.cs.wisc.edu, *.engr.wisc.edu HOSTALLOW_WRITE = 128.105.*, *.engr.wisc.edu, 128.105.64.0/18

12 12 Host-based Authorization › This is the default setup, which has some shortcomings but is easy to configure. › Allows you to specify capabilities by hostname, IP address, and/or subnet.

13 13 Problems With Default Installation › Host-based granularity is too big  Any user who can login to central manager has “Administrator” privileges HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)  Any user on an execute machine can evict the job on that machine via condor_vacate HOSTALLOW_OWNER = $(FULL_HOSTNAME)

14 14 Problems With Default Installation › Most connections are NOT authenticated  Queue management commands (condor_submit, condor_hold, etc.) are because Condor explicitly forces authentication.  Daemon-to-daemon commands are not.  It is possible to send false information to the collector and other denials of service

15 15 Problems With Default Installation › Traffic is not encrypted or checked for integrity.  Possibility of someone eavesdropping on your traffic, including files transferred to or from execute machine  Possibility of someone modifying your traffic without detection

16 16 Security Policy Configuration › Condor provides many mechanisms to address the previous shortcomings:  Many authentication methods  Strong encryption  Signed checksums for integrity

17 17 Security Policy Configuration › Condor will negotiate security requirements and supported methods client server I want to submit a job You must authenticate w/ kerberos KERBEROS normal submit protocol

18 18 Security Policy Configuration Default Policy SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONAL SEC_DEFAULT_AUTHENTICATION = OPTIONAL SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD#UNIX SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD#WIN32

19 19 Security Policy Configuration Default Policy Possible Policy Values NEVERdo not allow this to happen OPTIONALdo not request it, but allow it PREFFEREDrequest it, but do not require it REQUIREDthis is mandatory SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONAL SEC_DEFAULT_AUTHENTICATION = OPTIONAL SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD#UNIX SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD#WIN32

20 20 Security Policy Configuration YYYX YYYN YYNN XNNN R P O N Required Preferred Optional Never Client Policy Server Policy Policy Reconciliation

21 21 Security Policy Configuration Policy Reconciliation Example CLIENT POLICY SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONAL SEC_DEFAULT_AUTHENTICATION = OPTIONAL SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD SERVER POLICY SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = SSL RECONCILED POLICY ENCRYPTION = YES INTEGRITY = YES AUTHENTICATION = YES METHODS = SSL

22 22 Security Policy Configuration Once you have authenticated users, you may use a more fine-grained authorization list: ALLOW_WRITE = zmiller@cs.wisc.edu ALLOW_WRITE = zmiller@cs.wisc.edu/goose.cs.wisc.edu ALLOW_WRITE = zmiller@cs.wisc.edu/*.cs.wisc.edu

23 23 Security Policy Configuration › Format of canonical username: user@domain/host › One wildcard allowed in the user@domain portion, and one allowed in the host portion › If there is no ‘/’ character, Condor will do one of two things:  If there is an ‘@’ character, it is assumed to be a username, and maps to user@domain/*  If there is no ‘@’, it is assumed to be a hostname and maps to */hostname

24 24 Example Policies › Allow anyone from wisc.edu: ALLOW_READ=*.wisc.edu › Allow any authenticated local user: ALLOW_READ=*@wisc.edu/*.wisc.edu › Allow specific user/machine ALLOW_NEGOTIATOR= \ daemon@wisc.edu/condor.wisc.edu

25 25 AUTHENTICATION_METHODS › How to authenticate users and daemons?  NTSSPI – Microsoft Windows  FS – (UNIX) Local file system  FS_REMOTE – (UNIX) Network file system  CLAIMTOBE – Insecure, for testing  ANONYMOUS – Insecure  PASSWORD – Shared secret  SSL – Public key encryption  Kerberos – Requires existing KDC setup  GSI – Globus/Grid Security Infrastructure

26 26 NTSSPI Microsoft Windows › Only works on Windows › Password must be the same on both systems › No configuration required

27 27 FS : File System › Checks that the user can create a directory owned by the user.  Only works on local machine (uses /tmp)  Assumes filesystem is trustworthy › No configuration required “Hard drive” by Robbie Sproule © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/robbie1/73032053/ http://www.webcitation.org/5XQVcvsyYs

28 28 FS_REMOTE › Checks that the user can create a directory owned by the user on a shared filesystem  Works across machines  Assumes filesystem is trustworthy!!! THIS IS NOT ALWAYS TRUE!  Target directory must be properly configured. “Hard drive” by Robbie Sproule © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/robbie1/73032053/ http://www.webcitation.org/5XQVcvsyYs

29 29 CLAIMTOBE › CLAIMTOBE - Just what it sounds like  Allows client to send any ID  Very insecure  Useful for testing

30 30 PASSWORD › Shared secret › Only suitable for daemon-to-daemon communications, not for authenticating end users › Always authenticates as principle “condor_pool@$(UID_DOMAIN)” › Simple › Works on both UNIX (using filesystem protection) and Windows (using secure registry storage)

31 31 SSL › Public key encryption system › Daemons and users have X.509 certificates › Flexible – all Condor daemons in pool can share one certificate, or use one cert per host. › Map file transforms X.509 distinguished name into an identity (see later slides on mapping)

32 32 Kerberos and GSI › Complex to set up › Useful if you already use one of these systems › The most secure methods HTCondor provides (along with SSL) “two locks and a seed” by “Darwin Bell” © 2005 Licensed under the Creative Commons Attribution 2.0 license http://www.flickr.com/photos/darwinbell/321434315/ http://www.webcitation.org/5XQW02h8V

33 33 Security Policy Configuration › Map file controls how credentials are mapped to HTCondor user principals. › In your condor_config: CERTIFICATE_MAPFILE = /path/to/mapfile › Each line is a mapping rule. › Each rule has three fields: method regexmapped_name (any field with spaces should be quoted)

34 34 Security Policy Configuration › Some example map file entries: (These should be one line, they are split here) SSL “/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Zach Miller/Email=zmiller@cs.wisc.edu” zmiller@cs.wisc.edu SSL “/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Todd Tannenbaum/Email=tannenba@cs.wisc.edu” tannenba@cs.wisc.edu Etc.

35 35 Security Policy Configuration › Example with Regular Expression:  RegEx matches and sub-matches can be referenced using \1, \2, etc.  The map file gives you a canonical name from the authenticated user: SSLEmail=(.*)\1 “/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin – Madison/O=Computer Sciences Department/OU=Condor Project /CN=Zach Miller/Email=zmiller@cs.wisc.edu” zmiller@cs.wisc.edu

36 36 Security Policy Configuration › Default map file: (each line is ) FS (.*) \1 FS_REMOTE (.*) \1 GSI (.*) GSS_ASSIST_GRIDMAP (Special Token to call Globus) SSL (.*) unmapped KERBEROS (.*) \1 NTSSPI (.*) \1 CLAIMTOBE (.*) \1 ANONYMOUS (.*) CONDOR_ANONYMOUS PASSWORD (.*) \1

37 37 Example Security Configuration › Let’s put it all together with an example. › Desired policy, in English:  Authenticate, encrypt, and do integrity checks on everything.  Use SSL authentication for daemon-to- daemon communication  Use FS (or SSL) authentication for users so that we don’t need to issue certs to everyone.

38 38 condor_submit condor_q condor_rm … schedd central manager startd

39 39 Example Security Configuration # Turn on all security options: SEC_DEFAULT_AUTHENTICATION=REQUIRED SEC_DEFAULT_ENCRYPTION=REQUIRED SEC_DEFAULT_INTEGRITY=REQUIRED

40 40 Example Security Configuration # Specify allowed methods: SEC_DEFAULT_AUTHENTICATION_METHODS = FS, SSL SEC_DAEMON_AUTHENTICATION_METHODS = SSL › Requires giving your daemons an X.509 certificates › You will also need a map file for SSL distinguished names. Let’s assume the daemon cert maps to daemon@wisc.edu. › Let’s also assume the admin has a cert that maps to admin@wisc.edu

41 41 Example Security Configuration ALLOW_READ = *.wisc.edu ALLOW_WRITE= *.wisc.edu ALLOW_ADMINISTRATOR = admin@wisc.edu/*.wisc.edu, $(CONDOR_HOST)

42 42 Example Security Configuration ALLOW_DAEMON = daemon@wisc.edu/*.wisc.edu ALLOW_NEGOTIATOR = daemon@wisc.edu/$(CONDOR_HOST)

43 43 Users without Certificates › Using FS authentication these users can submit jobs and view the queue on the local schedd › condor_q –analyze and condor_status won’t work for normal users without an X.509 certificate  Requires READ access to condor_collector › FS won’t work across the network! › How to let anyone read any daemon?

44 44 condor_submit condor_q condor_rm … schedd central manager startd

45 45 Allow Any User Read Access › One option: Allow weak methods for READ: SEC_READ_AUTHENTICATION_METHODS = FS, SSL, CLAIMTOBE SEC_CLIENT_AUTHENTICATION_METHODS = FS, SSL, CLAIMTOBE › Or, just don’t require authentication at all for READ commands: SEC_READ_AUTHENTICATION = OPTIONAL

46 46 Example, on one page SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = FS, SSL SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED SEC_READ_AUTHENTICATION = OPTIONAL SEC_DAEMON_AUTHENTICATION_METHODS = SSL ALLOW_READ = *.wisc.edu ALLOW_WRITE= *.wisc.edu ALLOW_ADMINISTRATOR = admin@wisc.edu/*.wisc.edu, \ $(CONDOR_HOST) ALLOW_DAEMON = daemon@wisc.edu/*.wisc.edu ALLOW_NEGOTIATOR = daemon@wisc.edu/$(CONDOR_HOST)

47 47 # Require authentication, encryption, integrity use SECURITY: Strong # By default, must authenticate via filesystem # or pool password SEC_DEFAULT_AUTHENTICATION_METHODS = FS, PASSWORD # Allow READ level access (e.g. condor_status) # with ANONYMOUS authentication SEC_READ_AUTHENTICATION_METHODS = \ $(SEC_DEFAULT_AUTHENTICATION_METHODS), ANONYMOUS # Have tools like condor_status attempt ANONYMOUS # authentication so that condor_status will work # from any machine in the pool. SEC_CLIENT_AUTHENTICATION_METHODS = \ $(SEC_DEFAULT_AUTHENTICATION_METHODS), ANONYMOUS SEC_PASSWORD_FILE = /etc/condor/poolpassword Todd’s Shared Secret Formula

48 48 Conclusion Attached to Indico is Zach’s step-by-step securing via SSL with your own CA talk… … but this is overly complex IMO. Plan on adding security cut-n-paste HOWTOs on wiki.htcondor.org… and hopefully some simpler ‘meta-knobs’ that lean more on convention than configuration.

Download ppt "HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Setting up of condor scheduler on computing cluster Raman Sehgal NPD-BARC.

Setting up of condor scheduler on computing cluster Raman Sehgal NPD-BARC.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Similar presentations

Ads by Google