Configuring GSI security in Condor
1. Description
This document describes how to configure GSI security in Condor.
2. Required software
Any
Condor-supported
OS.
The
OSG
client software.
The
Condor
distribution.
3. Installation instructions
The installation will assume you
have
installed Condor v7.0.5.
The install directory is /opt/glidecondor.
If you want to use a different setup, make the necessary changes.
Unless explicity mentioned, all operations are to be done as root.
3.1 Install OSG client
If you have not installed the OSG client in
/opt/vdt already, do it now.
(Note: An EGEE/gLite Grid User Interface will work as well, but you need to
replace /opt/vdt with whatever is appropriate for that installation)
To install OSG 0.6.0 client, as of the time of writing, you would execute the following as root
(please be aware that you will need gcc, g++ and python-devel installed, and that you may need -pretend-platform packman option on some systems):
mkdir /opt/vdt
cd /opt/vdt
wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-3.19.tar.gz
tar --no-same-owner -xzvf pacman-3.19.tar.gz
cd pacman-3.19
source setup.sh
cd ..
pacman -trust-all-caches -get OSG:client
#Do you agree to the licenses? [y/n] y
#Would you like to enable the Condor batch system to run automatically? n
#Would you like to setup daily rotation of VDT log files? y
#Do you want to update the CA certification revocation lists (CRLs)
automatically? [y/n] y
#Where would you like to install CA files? r
pacman -remove Condor
# ignore error messages
source setup.sh
vdt-control --on
PS: The most up-to-date instructions can be found on
https://twiki.grid.iu.edu/twiki/bin/view/ReleaseDocumentation/ClientInstallationGuide.
(Please notice that those installation
instructions tell you to install in ~/client_directory, please use /opt/vdt
instead)
3.2 Prepare the security directories and files
Create /opt/glidecondor/certs
mkdir /opt/glidecondor/certs
chmod a+rx /opt/glidecondor/certs
This directory will host the grid-mapfile and eventual service proxy (see
below).
Now you need to select what proxy or certificate you will be used for
authentication.
You have essentially three options:
-
You use the host certificates located in
/etc/grid-security
-
You request a service certificate for use with Condor, and put it in
/opt/glidecondor/certs
-
You create and maintain a valid proxy, obtained from a personal or service
certificate, in /opt/glidecondor/certs.
How you keep this proxy valid (via
MyProxy,
kx509,
voms-proxy-init from a local certificate, scp from other nodes, or other
methods), is beyond the scope of this document.
Most of my test installations used option(3), but you may be better served with
(1) or (2) for a large production pool.
Anyhow, most of the examples in this collection will assume you use (3), with
the proxy being named
/opt/glidecondor/certs/x509_service_proxy.
Note: The proxy and/or the certificate key
must bereadable by the owner only! If it is either
group or world readable (and/or writable),
Condor will refuse to use it (since it could
have been stolen and/or compromised by now).
Once you have the proxy or the certificate, you need to create
/opt/glidecondor/certs/grid-mapfile and
insert the DN of the proxy/cert followed by a symbolic name.
Assuming the DN of the proxy/cert to be
"/DC=org/DC=doegrids/OU=Service/CN=mycondor345", you would insert:
"/DC=org/DC=doegrids/OU=Service/CN=mycondor345" condor
The symbolic name is not really important, it has no meaning in Unix space. It
is just a nickname you will use in configuration and log files.
In addition to its own DN, the grid-mapfile must contain also the DNs of all the
clients and servers that will ever talk to this Condor installation:
Again, you will need to add nicknames to those DNs. In the case of a
Submit
node
or Execute
node running as root, the user nicknames must represent actual Unix account.
In all other cases, the nicknames have no special meanin, and are there just for
use in configuration and log files.
For example, assuming this is the Central Manager, and it has two Submit nodes,
with DNs "/DC=org/DC=doegrids/OU=Service/CN=schedd34" and
"/DC=org/DC=doegrids/OU=Service/CN=schedd98", while all the Execute nodes are
glideins, and thus share the same DN "/DC=org/DC=doegrids/OU=Service/CN=work12",
the /opt/glidecondor/certs/grid-mapfile
could be:
"/DC=org/DC=doegrids/OU=Service/CN=mycondor345" condor
"/DC=org/DC=doegrids/OU=Service/CN=schedd34" scondor1
"/DC=org/DC=doegrids/OU=Service/CN=schedd98" scondor2
"/DC=org/DC=doegrids/OU=Service/CN=work12" gcondor
3.3 Configure Condor security
Force GSI authentication in
/etc/condor/condor_config, by adding:
############################################################
## Security config
############################################################
############################
# Authentication settings
############################
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,GSI
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_CLIENT_AUTHENTICATION = OPTIONAL
# Grid Certificate directory
GSI_DAEMON_TRUSTED_CA_DIR=/opt/vdt/globus/TRUSTED_CA
############################
# Privacy settings
############################
SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_READ_INTEGRITY = OPTIONAL
SEC_CLIENT_INTEGRITY = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_CLIENT_ENCRYPTION = OPTIONAL
############################
# Set daemon cert location
############################
GSI_DAEMON_DIRECTORY = /opt/glidecondor/certs
# Keep this if you use a proxy
GSI_DAEMON_PROXY = $(GSI_DAEMON_DIRECTORY)/x509_service_proxy
# If you use a Certificate, uncomment below, pointing it to the right place,
and comment the proxy line
#GSI_DAEMON_CERT = /etc/grid-security/hostcert.pem
#GSI_DAEMON_KEY = /etc/grid-security/hostkey.pem
############################
# Where to find DN->uid mappings
############################
GRIDMAP=$(GSI_DAEMON_DIRECTORY)/grid-mapfile
Since all the security is now GSI based, we don't rely on IP checks anymore.
Change HOSTALLOW_WRITE in
/etc/condor/condor_config, to
# do not use IP based controls
HOSTALLOW_WRITE = *
Back
to the index
glideinWMS support: glideinwms-support@fnal.gov