htcondor s r securi rity philosophy a and administra
play

HTCondor S r Securi rity: Philosophy a and Administra ration C - PowerPoint PPT Presentation

Sep 30, 2023 •235 likes •519 views

HTCondor S r Securi rity: Philosophy a and Administra ration C Changes FEARLESS SCIENCE Forg rget w what y you k know about H HTCondor s r securi rity. We c changed i it FEARLESS SCIENCE Establishing a secure pool

  1. HTCondor S r Securi rity: Philosophy a and Administra ration C Changes FEARLESS SCIENCE

  2. “Forg rget w what y you k know about H HTCondor s r securi rity. We c changed i it” FEARLESS SCIENCE

  3. Establishing a secure pool Where’s my easy Traditionally, there’s been no “easy button” to setup strong security on pools. button? • Very easy to setup poor security. • Very hard to find good advice on strong security. • No tools provided by HTCondor to setup strong authentication. • Is the answer “Google for how to create a new CA with OpenSSL”? In 2019, we spent significant blood, sweat, and tears providing a new authentication method and new tooling to Actual product if anyone is setup your pool. interested… 3 FEARLESS SCIENCE

  4. Classic HTCondor Daemon Security For invoking a remote command: • The server and client would negotiate an authentication method to establish identities. • Example methods: GSI, PASSWORD, SSL. • Once an identity was established, HTCondor would determine if the requested command was authorized . • Can user foo@example.com perform actions that require DAEMON-level authorization?! Nobody trusts nobody. All authentication Each pair of daemons that want to talk is established from scratch. had to perform this dance! 4 FEARLESS SCIENCE

  5. How do we setup SSL security for HTCondor? 5 FEARLESS SCIENCE

  6. Setting up SSL Security Step 0. Figure out this is a thing you want to do! … oodles of old presentations to go through. Which one is right? 6 FEARLESS SCIENCE

  7. Setting up SSL Security 1a. Find Zach Miller’s 1b. Whoops HTCondor Week 2011 talk. 7 FEARLESS SCIENCE

  8. Setting up SSL Security 1. Ask Google for Help 8 FEARLESS SCIENCE

  9. Setting up SSL Security 2. Distribute CA across the cluster … and add some modest configs … and distribute host certificates everywhere 9 FEARLESS SCIENCE

  10. Setting up SSL Security 2. Distribute CA across the cluster 3. Configure schedd -> collector auth 4. startd -> collector auth 5. negotiator -> schedd 6. schedd -> startd 10 FEARLESS SCIENCE

  11. Setting up SSL Security 7. … Or just give up and use host security? 11 FEARLESS SCIENCE

  12. “Match Password Authentication” For a few years, HTCondor has had “match password” security. In this case, • The startd generates a capability, T, and sends it to the collector in its ClassAd. • Anyone with T is allowed to start jobs on the startd. • The negotiator gets T from the collector The startd trusts any negotiator trusted by its collector! because the collector trusts the negotiator. + • The schedd gets T as part of the ‘match’ The negotiator trusts any schedd in the collector. created by the negotiator. = • Hence the name “match password”. The startd trusts any schedd in its collector. 12 FEARLESS SCIENCE

  13. Extending Trust in the Collector Starting in 8.9.x, the schedd also generates a token, T’, and sends it in its ClassAd. • The schedd trusts the collector only gives T’ to trustworthy negotiators. • Any client with T’ is allowed to be a negotiator for the schedd. Note the only “full authentication” arrows are to the collector. 13 FEARLESS SCIENCE

  14. TRUST THE COLLECTOR In 8.9, all trust is established is through the collector . • Instead of needing credentials between any two daemons, only credentials to authenticate with the collector are needed. • We implicitly trust anyone the collector hands our security sessions to. • Think of the collector as establishing a trust domain. • Trust domain -> set of daemons run by the same administrator. If we trust the collector, why not allow it to issue credentials? 14 FEARLESS SCIENCE

  15. Introducing: The IDTOKEN eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYXQiOjE1ODk1NjYwOTEsImlzcyI6I mNvbGxlY3Rvci5leGFtcGxlLmNvbSIsImp0aSI6ImQyODI1YjNhYTkyNzcyYWQ3ZmJi NmNmMDNmZmI0ZmU2Iiwic3ViIjoiYnJpYW4uYm9ja2VsbWFuQGNvbGxlY3Rvci5le GFtcGxlLmNvbSJ9.z8LUtjmqL_bqXTtUpC0-nXGflBfW3zI0JuB43S9MOGE Many of the ideas were extensions of approaches 15 FEARLESS SCIENCE developed as part of SciTokens (NSF #1738962)

  16. IDTOKENS An IDTOKEN is a bearer token that can be used to authenticate an identity: • An IDTOKEN is signed (often by the collector) – the signature can be validated by a daemon with the master password. • Any given token is valid within a single trust domain. • Multiple master passwords can be used within the same trust domain. • The IDTOKEN embeds an identity. The HTCondor authorization system can operate on this identity. • The IDTOKEN may contain restrictions: • On when the token is valid (“expires next week”) • What the token can be used for (“useful only for READ permission”). Any client can have multiple IDTOKENS – useful for authenticating with servers in different trust domains! 16 FEARLESS SCIENCE

  17. Big secret: IDTOKENS are JWTs - Basic Example When the token was issued The trust domain (“iss” -> issuer) Unique ID User identity (output from jwt.io) 17 FEARLESS SCIENCE

  18. IDTOKENS have IDs The IDTOKEN contains an identity within HTCondor. There’s no “mapfile” as in SSL/GSI as there’s no external identity to map. You do have to authorize an identity to perform an action (ALLOW_* options) 18 FEARLESS SCIENCE

  19. Big secret: IDTOKENS are JWTs –Complex Example Limit on lifetime (“exp” = expiration) Limit on authz (output from jwt.io) 19 FEARLESS SCIENCE

  20. Trust domains, tokens, and passwords – Oh my! To see trust domains, tokens, and passwords in action, consider the case of schedd flocking: • Each pool is a different trust domain – the two pool administrators are distinct! • Accordingly, each collector has a separate master password . • Each token is in one trust domain (and signed by a different password) so the schedd needs two tokens – one for each pool ! 20 FEARLESS SCIENCE

  21. Where to find my token information Each token is a file in a directory: The trust domain is configured by • ~/.condor/tokens.d/ (users) • TRUST_DOMAIN • /etc/condor/tokens.d/ (condor or root) • Defaults to $(COLLECTOR_HOST) • Overridden by SEC_TOKEN_DIRECTORY Each master password is also a file in the directory: • /etc/condor/passwords.d/ • Overridden by SEC_PASSWORD_DIRECTORY 21 FEARLESS SCIENCE

  22. Bootstrapping Trust – Creating an IDTOKEN Anyone who can read the master password can issue any token they want using condor_token_create . $ sudo condor_token_create \ -identity brian.bockelman@collector.example.com \ -lifetime 3600 \ -authz READ -authz WRITE eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJleHAiOjE1ODk4Mjk4MzUsImlhdCI6MTU4OTgyNjI zNSwiaXNzIjoiY29sbGVjdG9yLmV4YW1wbGUuY29tIiwic2NvcGUiOiJjb25kb3I6L1JFQUQgY29u ZG9yOi9XUklURSIsInN1YiI6ImJyaWFuLmJvY2tlbG1hbkBjb2xsZWN0b3IuZXhhbXBsZS5jb20if Q.NxOw5f9GsmGgwV0TezisZwmtqRbRuGHvj8G1r5esdLI 22 FEARLESS SCIENCE

  23. Fetching an IDTOKEN Does authentication work now – but you need to squirrel away an IDTOKEN for future use? condor_token_fetch to the rescue! • This tool authenticates with a daemon and asks the daemon to sign a token on behalf of the user’s identity. Resulting identity is identical to authenticated ID. • Use case : I have an SSH login to a local schedd but want to remotely submit to a schedd in the same trust domain. 23 FEARLESS SCIENCE 23

  24. Requesting an IDTOKEN Want to get an IDTOKEN on a machine without authenticating? • condor_token_request allows an anonymous user to request a token for an arbitrary identity X. • The token request can be approved either by an admin or a user authenticated as X. • Anyone can ask. Few can approve! • Use case : I have an SSH login on a schedd and want to start submitting jobs from my laptop. • Solution : Request a token from my laptop; login to the submit host and approve the request. • DO NOT COPY/PASTE TOKENS. Instead, use condor_token_request ! The startd, master, and schedd will automatically request tokens from the collector if authentication fails. 24 FEARLESS SCIENCE

  25. Bootstrapping Trust – Autoapproval Token requests are a handy tool for securely bootstrapping authentication – provides a tool for secure movement of credentials. • Great tool for adding a new worker node by hand. • Crappy tool for adding 1,000 worker nodes! Auto-approval mode for the rescue! Automatically approves certain requests for a specific network and time duration How do I install a new cluster? • On first start, a collector automatically generates a new master password. • Enable auto-approval mode for hosts coming from the new subnet. • If a schedd, startd, or master cannot authenticate with the collector, they will automatically request a token. If the requests come from the correct subnet, the token will be immediately issued. • Wait for all the hosts to show up in condor_status then disable auto-approval mode. 25 FEARLESS SCIENCE

Recommend

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity:

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity:

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity: y: Th The Ca Cast of of C Characters Your Computer/Phone/Tablet Attacker or Adversary Your data: financial, health records, intellectual

958 views • 75 slides
Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada

Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada

Securi rity P y Principles & & Sandboxes CS 161: Computer Security Prof. Raluca Ada Popa January 25, 2018 Some slides credit Nick Weaver or David Wagner. Announcements Homework 1 is out, due on Monday Midterm 1 date Feb 15,

557 views • 54 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/fall2019 /cs683/cs683_main.htm 1 Ou Outline The players/actors

519 views • 51 slides
Hea ealth Ca Care Sec Securi rity Ordinance: e: Sel Self-funded H Health lth P Plan C

Hea ealth Ca Care Sec Securi rity Ordinance: e: Sel Self-funded H Health lth P Plan C

Hea ealth Ca Care Sec Securi rity Ordinance: e: Sel Self-funded H Health lth P Plan C Calcula latio tions Office of Labor Standards Enforcement (OLSE) January 10, 2020 Maura Prendiville Bianca Polovina Supervising Compliance

564 views • 34 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/spring20 18/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Ou

544 views • 51 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/spr ing2018/cs683/cs683_main.htm ( https://goo.gl/t396Fw ) 1 To

399 views • 14 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka

CS CS 683 683 - Se Securi rity and Pri rivacy Fall 2019 Fa Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/fall 2019/cs683/cs683_main.htm 1 To Today Administrative Stuff

579 views • 14 slides
Concretely Efficient La Large-Sc Scale M MPC wi with th Acti tive Securi rity ty (or

Concretely Efficient La Large-Sc Scale M MPC wi with th Acti tive Securi rity ty (or

Concretely Efficient La Large-Sc Scale M MPC wi with th Acti tive Securi rity ty (or (or, Ti TinyKeys fo for Ti TinyOT) ) Carmit Hazay, Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez La Large-Sc Scale MP MPC Current

398 views • 22 slides
Bologna - Sabato 14 Ottobre Federico Dotta Se Securi rity Adviso isor r @ Media iaservic

Bologna - Sabato 14 Ottobre Federico Dotta Se Securi rity Adviso isor r @ Media iaservic

Bologna - Sabato 14 Ottobre Federico Dotta Se Securi rity Adviso isor r @ Media iaservic ice.n .net S. S.r.l .l. (fe federi rico.dotta@media iaservice.net) OSCP, CREST PEN, CSSLP 7+ years in Penetration Testing

670 views • 63 slides
Food S ood Securi rity in Br Bruce G e Grey Bruce Grey Poverty Task Force Who are we?

Food S ood Securi rity in Br Bruce G e Grey Bruce Grey Poverty Task Force Who are we?

Food S ood Securi rity in Br Bruce G e Grey Bruce Grey Poverty Task Force Who are we? Food Security Action Group Canadian Mental Health Food Security Grey Bruce Health Unit Association Golden Town Outreach Action Group

391 views • 20 slides
HTCondor Python Bindings Tutorial Brian Bockelman HTCondor Week 2019 HTCondor Clients in 2012

HTCondor Python Bindings Tutorial Brian Bockelman HTCondor Week 2019 HTCondor Clients in 2012

HTCondor Python Bindings Tutorial Brian Bockelman HTCondor Week 2019 HTCondor Clients in 2012 Command Line Clients SOAP Clients Something Missing Fully Featured! Features! (Some) In Requires fork/exec and process Language agnostic

357 views • 10 slides
Installation and Configuration of HTCondor from (our) Repositories Tim Theisen Terminology

Installation and Configuration of HTCondor from (our) Repositories Tim Theisen Terminology

Installation and Configuration of HTCondor from (our) Repositories Tim Theisen Terminology Personal HTCondor (narrower definition) Single node HTCondor Runs under a user account Mini-HTCondor (new term) Single node

440 views • 15 slides
HTCondor Training Florentia Protopsalti IT-CM-IS 5/12/2017 2 Overview HTCondor Batch System

HTCondor Training Florentia Protopsalti IT-CM-IS 5/12/2017 2 Overview HTCondor Batch System

HTCondor Training Florentia Protopsalti IT-CM-IS 5/12/2017 2 Overview HTCondor Batch System Job Submission Investigating Failed Jobs Input And Output Files Exercises 5/12/2017 3 HTCondor Batch System 5/12/2017

676 views • 33 slides
HTCondor at Collin Mehring Using HTCondor Since 2011 Animation Studio Background

HTCondor at Collin Mehring Using HTCondor Since 2011 Animation Studio Background

HTCondor at Collin Mehring Using HTCondor Since 2011 Animation Studio Background Productions are our customers Artists are the end users Production stages and their teams Layout -> Animation -> Lighting / FX ->

592 views • 22 slides
Event-Sourced Monitoring of Your HTCondor Cluster Kevin Retzke HTCondor Week 23 May 2019

Event-Sourced Monitoring of Your HTCondor Cluster Kevin Retzke HTCondor Week 23 May 2019

Event-Sourced Monitoring of Your HTCondor Cluster Kevin Retzke HTCondor Week 23 May 2019 Traditional Sample-Based Monitoring Collect metrics (e.g. how many jobs are running) at regular intervals Historical trends Throughput

639 views • 17 slides
Submitting Multiple Jobs With HTCondor Christina Koch HTCondor Week 2020 Why multiple jobs?

Submitting Multiple Jobs With HTCondor Christina Koch HTCondor Week 2020 Why multiple jobs?

Submitting Multiple Jobs With HTCondor Christina Koch HTCondor Week 2020 Why multiple jobs? HTCondor Week 2020 2 Why multiple jobs? Mei Monte Carlo Needs to run many random simulations to model particles in a detector Image credit: The

619 views • 35 slides
Monitoring HTCondor Andrew Lahiff STFC Rutherford Appleton Laboratory European HTCondor Site

Monitoring HTCondor Andrew Lahiff STFC Rutherford Appleton Laboratory European HTCondor Site

Monitoring HTCondor Andrew Lahiff STFC Rutherford Appleton Laboratory European HTCondor Site Admins Meeting 2014 Introduction Two aspects of monitoring General overview of the system How many running/idle jobs? By user/VO? By

803 views • 34 slides
How to be a paranoid Dates of birth or just think like one Exposure to identity theft

How to be a paranoid Dates of birth or just think like one Exposure to identity theft

Leaking information Stealing 26.5 million veteran s data Pro rotection a and S d Securi rity Data on laptop stolen from employee s home (5/06) Veterans names Social Security numbers How to be a paranoid Dates of birth or

337 views • 5 slides
HTCondor Architecture HTCondor Week 2020 Todd Tannenbaum Center for High Throughput Computing

HTCondor Architecture HTCondor Week 2020 Todd Tannenbaum Center for High Throughput Computing

HTCondor Architecture HTCondor Week 2020 Todd Tannenbaum Center for High Throughput Computing Start with People People have Problems 1,000x more Some of my jobs My laptop will compute, could need a lot of take three years to

553 views • 33 slides
IETF Administra/ve Oversight Commi7ee Overview 10 March

IETF Administra/ve Oversight Commi7ee Overview 10 March

IETF Administra/ve Oversight Commi7ee Overview 10 March 2013 Agenda BCP101 - Structure of the IETF Administra/ve Support Ac/vity (IASA)

562 views • 34 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
HTCondor at HEPiX, WLCG and CERN Status and Outlook Helge Meinhard / CERN HTCondor week 2018

HTCondor at HEPiX, WLCG and CERN Status and Outlook Helge Meinhard / CERN HTCondor week 2018

HTCondor at HEPiX, WLCG and CERN Status and Outlook Helge Meinhard / CERN HTCondor week 2018 Madison (WI) 22 May 2018 CERN material courtesy by Ben Jones 22 May 2018 HTCondor at HEPiX, WLCG and CERN 2 HEPiX From our Web site

625 views • 23 slides
HTCondor in Astronomy at NCSA Michael Johnson, Greg Daues, and Hsin-Fang Chiang HTCondor Week

HTCondor in Astronomy at NCSA Michael Johnson, Greg Daues, and Hsin-Fang Chiang HTCondor Week

HTCondor in Astronomy at NCSA Michael Johnson, Greg Daues, and Hsin-Fang Chiang HTCondor Week 2019 The Dark Energy Survey The Dark Energy Survey (DES) is designed to probe the origin of the accelerating universe and help uncover the nature

412 views • 16 slides
Whats Next for HTCondor-CE? Brian Bockelman OSG AHM 2015 HTCondor-CE in a slide Submit Host

Whats Next for HTCondor-CE? Brian Bockelman OSG AHM 2015 HTCondor-CE in a slide Submit Host

Whats Next for HTCondor-CE? Brian Bockelman OSG AHM 2015 HTCondor-CE in a slide Submit Host Condor Schedd Submit Host Job (grid universe) HTCondor Schedd Job (grid universe) PBS Case Condor-C submit HTCondor Case Condor-CE Schedd

634 views • 12 slides

More recommend