Glidein Recipes - Token Authorization

Description

This page documents a recipe for enabling and managing HTCondor Token Authorization between Frontends and Glidein Entry Points (CE's).

Requirements

Requirement	Description
GWMS Factory Version >= 3.7	The Factory can be either a fresh install from yum/RPM or a yum upgrade, as long as it meets the version requirements.
GWMS Frontend Version >= 3.7	The Frontend, like the Factory, can be made to meet version requirements via either a fresh install or upgrade.
HTCondor Version >= 8.9.1	HTCondor that the Frontend uses must be a token supporting release. The HTCondor tarballs delivered by Factory entry points also need to be a token supporting release. It is not necessary to upgrade the main Factory HTCondor as long as the GlideinWMS version of the factory complies with the >= 3.7 requirement.
Sudo access for 'frontend' user on gwms-frontend machine	The frontend user needs to be able to create passwords and tokens derived from these passwords. The following two lines must be present in /etc/sudoers on the gwms-frontend machine: frontend ALL=(ALL) NOPASSWD:SETENV: /usr/sbin/condor_store_cred frontend ALL=(ALL) NOPASSWD:SETENV: /usr/bin/condor_token_create

Upgrade and Configure Frontend Condor

Upgrade condor on the frontend machine to a token supporting version. Instructions for installing the from the official HTCondor repo are here . It is often easier to install condor from the OSG repos. At the time of this writing (2/11/20) the easist way to install condor 8.9.5 was:
```
# yum -y --enablerepo osg-upcoming install condor
```
Make condor passwords and tokens directories if they don't already exist
```
# mkdir -p /etc/condor/passwords.d /etc/condor/tokens.d
```

The utility /usr/local/bin/gwms_condor_ping should be present if 3.7 has been installed correctly. If it is not present, create it now as it is useful for verifying TOKEN functionality

# cat /usr/local/bin/gwms_condor_ping
#!/bin/sh
# a convenience wrapper for condor_ping
# returns a table of authorizations, useful to see
# if token_auth has been correctly set up
#
if [ "$1" = "" ]; then
   HOST=$HOSTNAME
else
   HOST=$1
fi
condor_ping -addr "<$(host $HOST | sed -e 's/.* //'):9618>" -table ALL

#

As token authentication is not enabled, the output of gwms_condor_ping should show FS or GSI authentication being used:

# gwms_condor_ping
         Instruction Authentication Encryption Integrity Decision Identity
               ALLOW             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
                READ           none       none      none    ALLOW unauthenticated@unmapped
               WRITE             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
          NEGOTIATOR             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
       ADMINISTRATOR             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
               OWNER             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
              CONFIG             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
              DAEMON             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_STARTD             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_SCHEDD             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_MASTER             FS       none       MD5    ALLOW condor@fermicloud158.fnal.gov

Add the following lines to the frontends condor configuration:

ALLOW_READ = *
ALLOW_DAEMON = $(ALLOW_WRITE)
SEC_DEFAULT_AUTHENTICATION_METHODS = TOKEN,FS,GSI
ALL_DEBUG = D_SECURITY, D_FULLDEBUG
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS)
SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS)
QUEUE_SUPER_USER = root, condor
RUNTIME_CONFIG_ADMIN = condor@$(FULL_HOSTNAME), root@$(FULL_HOSTNAME)
ALLOW_CONFIG = $(RUNTIME_CONFIG_ADMIN)

Finally:
- create a condor pool password
- create a condor admin token
- restart condor

# openssl rand -base64 64 | condor_store_cred -u condor_pool@$HOSTNAME \
-f /etc/condor/passwords.d/POOL add
# condor_token_create -identity condor@$HOSTNAME -token condor.$HOSTNAME.token
# /bin/cp /root/.condor/tokens.d/condor.$HOSTNAME.token /etc/condor/tokens.d/admin.token
# systemctl restart condor

The output of gwms_condor_ping for the root user should now show that it is using TOKEN authentication for most services

[root@fermicloud158 ~]# gwms_condor_ping
         Instruction Authentication Encryption Integrity Decision Identity
               ALLOW          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
                READ           none       none      none    ALLOW unauthenticated@unmapped
               WRITE          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
          NEGOTIATOR          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
       ADMINISTRATOR          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
               OWNER          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
              CONFIG          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
              DAEMON          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_STARTD          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_SCHEDD          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov
    ADVERTISE_MASTER          TOKEN       none       MD5    ALLOW condor@fermicloud158.fnal.gov

Check the condor logs for unusual authentication errors.

Upgrade Factory Tarballs

Go to the HTCondor Downloads page and download a 64bit stripped compressed tarball from the "HTCondor Binaries and Source" section. These instructions have been tested with tarballs condor-8.9.1-x86_64_RedHat7-stripped.tar.gz through condor-8.9.5-x86_64_RedHat7-stripped.tar.gz
Copy your downloaded tarball to the /var/lib/gwms-factory/condor directory on the Factory. Untar it
```
            tar xvzf condor-8.9.5-x86_64_RedHat7-stripped.tar.gz 
```

Add a line to the <condor_tarballs> section of the Factory XML configuration files that points to the condor tarball you just downloaded

<condor_tarballs>
      <condor_tarball arch="x86_64" base_dir="/var/lib/gwms-factory/condor/condor-8.9.5-x86_64_RedHat7-stripped" os="rhel7" version="8.9.5"/>
</condor_tarballs>

Modify the <attrs> section of an <entry> configuration in the Factories XML to use the newly configured condor_tarball

<entry name="some_site_being_modified" ...>
...
<attrs>
<attr name="CONDOR_ARCH" const="False" glidein_publish="False" job_publish="False" parameter="True" publish="True" type="string" value="x86_64"/>
<attr name="CONDOR_OS" const="False" glidein_publish="False" job_publish="False" parameter="True" publish="True" type="string" value="rhel7"/>
<attr name="CONDOR_VERSION" const="False" glidein_publish="False" job_publish="False" parameter="True" publish="True" type="string" value="8.9.5"/>
...
</attrs>

Reconfigure the factory so the XML changes take effect

# systemctl stop gwms-factory.service
# /usr/sbin/gwms-factory reconfig
# systemctl start gwms-factory.service

Verify Token Functionality

Checklist for Frontend prior to full chain token authentication
- GWMS >= 3.7 has been installed on Frontend, or Frontend has been modified to run git branch v37/23092. In either case, the following scripts should exist:
  - /usr/sbin/frontend_condor_token
  - /usr/local/bin/gwms_condor_ping
- gwms_condor_ping shows TOKEN authentication for 'root' user
- 'frontend' user present in /etc/sudoers as documented in Requirements section
- GWMS >= 3.7 has been installed on Factory, or Factory has been modified to run git branch v37/23092.
- An Entry Point on the factory has been configured to deliver a condor tarball >= 8.9.1
Submit a condor job to the Frontend with condor requirements that make it run on the newly modified Factory Entry Point. Make sure the job has a 'printenv' or equivalent in it to show the environment the job runs under.
When the job completes, check the output from the 'printenv' command. If a token was generated by the Frontend, forwarded to the Factory, forwarded again to the CE, and integrated into the glidein enviroment, GLIDEIN_CONDOR_TOKEN will be set and its value will include the GLIDEIN_Site name, for example for GLIDEIN_Site el7_ GLIDEIN_CONDOR_TOKEN=/tmp/glide_SpYzMq/ticket/el7_osg34_token.

Revoking Tokens for Entry Points

Each Glidein_Site that a Frontend submits to is sent condor_tokens generated from a unique password for that site. If the password is changed, all existing tokens for that site become invalid, and token authentication for any running glideins at that site will stop working. New glideins requested by the Frontend will use the new password, and valid tokens will be sent to the Factory and on to the CE's. A quick way to change a token generating password from the command line is
```
            # export GLIDEIN_SITE='HCC_US_Omaha_crane_gpu'
            # openssl rand -base64 64 | sudo /usr/sbin/condor_store_cred -u frontend@$HOSTNAME -f /etc/condor/passwords.d/${GLIDEIN_SITE} add
            
```

Limitations

This recipe enables Condor TOKEN authentication but still allows GSI authentication if a TOKEN is revoked. This may not be the desired behavior.
More fine grained authorization scope and management of token lifetime is possible and desirable. Consider this implementation 0.1
SciToken authentication and its interactions with Condor and GlideinWMS are not addressed in this document.

GlideinWMS The Glidein-based Workflow Management System

Token Authorization