IDTOKEN Authentication in HTCondor Software Suite Week 2022

idtoken authentication in the htcondor software n.w
1 / 24
Embed
Share

This presentation delves into the need for authentication in the HTCondor Software Suite (HTCSS), highlighting the utilization of IDTOKENS for securing pools and accessing remote points. It covers advanced topics such as token requests, invalidation, and the secure presentation of IDTOKENS, offering insights for admins, users, and understanding the motivation behind a new authentication method in HCSS.

  • HTCondor
  • Authentication
  • IDTOKEN
  • Security
  • University
rayaanacharya
zang162 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. IDTOKEN Authentication in the HTCondor Software Suite (HTCSS) HTCondor Week 2022 Todd Tannenbaum Center for High Throughput Computing University of Wisconsin-Madison

  2. Outline Introduction and Motivation Need for authentication in HTCSS Need for yet another authentication method Basic Concepts and Usage For Admins: Using IDTOKENS to secure your Pool For Users: Using IDTOKENS to utilize a remote Access Point Advanced Topics Invalidation Multiple signing keys, multiple tokens Token Requests How does HTCSS securely present IDTOKENS 2

  3. Introduction and Motivation 3

  4. Need for Authentication in HTCSS condor_reconfig condor_off condor_userprio condor_drain 1. HTCondor services (aka daemons) authenticating to remote HTCondor services Only allow trusted nodes into the pool 2. Users authenticating to an Access Point (schedd) Need to know who owns which jobs 3. Admins authenticating to an HTCondor service Only allow trusted users to make administrative changes Central Manager negotiator collector Access Point Worker Node schedd startd condor_submit condor_rm 4

  5. After Authentication comes Authorization Authentication method results an identity Identities are granted authorizations via HTCSS configuration, e.g. # Processes that authenticate as user condor # are considered services in my HTCondor Pool ALLOW_DAEMON = condor@mysite # Users alice and bob can submit jobs ALLOW_WRITE = alice@mysite, bob@mysite # root or condor can do administration ALLOW_ADMINISTRATOR = root@mysite, condor@mysite 5

  6. Why yet another authentication method? HTCSS can perform authentication via many different methods, but they all had shortcomings or complications FS (filesystem) : Cannot work over the network, since the server challenges the client to create a file with proper ownership in /tmp POOL (pool password): Only for daemons, not for tools / users. SSL, GSI, SCITOKENS, KERBEROS, MUNGE: Requires significant setup work and/or installations from third-party for tools/services Wanted a solution that is self-contained, works over the network, and works for daemons or users using tools Thereby suitable for a "secure by default" installation 6

  7. BASIC CONCEPTS AND USAGE 7

  8. The IDTOKEN issued date issuer unique id identity An IDTOKEN contains: An Identity. Also Issuer, Unique ID, Issued date, possibly an Expiration date. Authorization limits. If present, these reduce the authorizations configured at the server it does NOT add authorizations. All signed with a Digital Signature (using a secret signing key stored on the server) to prove authenticity Serialized out as an alphanumeric string and stored in a file. An IDTOKEN is always presented by a client to a server. The server must have access to the same secret key that was used to sign the client's token. 8

  9. Two Concrete Examples Example 1 - For Admins: Using IDTOKENS to secure your Pool (or exactly how does get_htcondor setup security?) Example 2 - For Users: Using IDTOKENS to utilize a remote Access Point 9

  10. Example 1: IDTOKENS to secure a pool Central Manager The key to a secure pool is to only allow trusted (authenticated and authorized) startds and schedds to advertise into the collector. negotiator ALLOW_DAEMON = condor@cm.myorg collector Access Point Worker Node schedd startd 10

  11. Example 1: IDTOKENS to secure a pool Central Manager 1. Create a signing key file on the central manager negotiator ALLOW_DAEMON = condor@cm.myorg A random key will be created by default at collector startup, or explicitly create with tool: condor_store_cred add -c Signing key is stored by default in file /etc/condor/passwords.d/POOL collector Access Point Worker Node schedd startd 11

  12. Example 1: IDTOKENS to secure a pool Central Manager 1. Create a signing key file on the central manager negotiator 2. Create an IDTOKEN file with identity "condor" on central manager Use tool condor_token_create -identity condor@cm.myorg ALLOW_DAEMON = condor@cm.myorg collector Access Point Worker Node schedd startd 12

  13. Example 1: IDTOKENS to secure a pool Central Manager 1. Create a signing key file on the central manager negotiator 2. Create an IDTOKEN file with identity "condor" on central manager Use tool condor_token_create -identity condor@cm.myorg ALLOW_DAEMON = condor@cm.myorg collector Access Point Worker Node 3. Copy this IDTOKEN file to each trusted server you want to join your pool Place file into directory /etc/condor/tokens.d schedd startd 13

  14. Example 1: IDTOKENS to secure a pool condor_reconfig condor_off condor_userprio condor_drain Central Manager What about securing administrator commands? Say we want root on the central manager to be able to issue admin commands to remote access points and worker nodes . ? Hint: It won't work the access point and worker nodes cannot validate the token (no signing key) negotiator ALLOW_DAEMON = condor@cm.myorg ALLOW_ADMINISTRATOR = \ condor@cm.myorg collector Access Point Worker Node schedd startd ALLOW_ADMINISTRATOR = \ condor@cm.myorg ALLOW_ADMINISTRATOR = \ condor@cm.myorg 14

  15. Example 1: IDTOKENS to secure a pool condor_reconfig condor_off condor_userprio condor_drain Central Manager What about securing administrator commands? Say we want root on the central manager to be able to issue admin commands to remote access points and worker nodes . ? Hint: It won't work the access point and worker nodes cannot validate the token (no signing key) A Solution: Place the signing key on all trusted nodes in your pool! Voila! negotiator ALLOW_DAEMON = condor@cm.myorg ALLOW_ADMINISTRATOR = \ condor@cm.myorg collector Access Point Worker Node schedd startd ALLOW_ADMINISTRATOR = \ condor@cm.myorg ALLOW_ADMINISTRATOR = \ condor@cm.myorg 15

  16. Example 1: IDTOKENS to secure a pool Central Manager This diagram depicts how a pool is configured for security after installing via the get_htcondor tool! You can learn a lot by inspecting output from use security:get_htcondor_tokens use role:CentralManager negotiator collector Access Point Worker Node schedd startd curl -fsSL get.htcondor.org | bash -s -- --execute cm.org use security:get_htcondor_tokens use role:Submit use security:get_htcondor_tokens use role:Execute and condor_config_val use security:get_htcondor_idtokens 16

  17. Example 2: Using a remote Access Point Access Point schedd condor_submit condor_rm Bob is a normal user (no root access) Bob can ssh into an access point and submit. But he wants to submit from his laptop 17

  18. Example 2: Using a remote Access Point Step 1: Bob does a ssh login to his access point He cannot use condor_token_create; only root can read signing keys in /etc/condor/passwords.d so instead Step 2: Bob creates an IDTOKEN with identity "Bob" via condor_token_fetch tool condor_token_fetch authenticates to the schedd (via FS, filesystem auth), asks the schedd to create an IDTOKEN on behalf of the user s identity. Resulting IDTOKEN identity is identical to authenticated identity. Step 3: Bob copies output from condor_token_fetch to his laptop, storing it in a file in directory ~/.condor/tokens.d. Bob can now access the remote schedd as "Bob". Voila! Access Point schedd condor_submit condor_rm 18

  19. Summary of Commands condor_store_cred add c : Command to store a signing key. condor_token_create : Allows anyone who can read a signing key (usually just root) to create and sign an IDTOKEN with any given identity. Example with attenuation (auth limits, expiration): condor_token_fetch : Authenticate with a daemon and create an IDTOKEN on behalf of the user s identity. condor_token_list : display properties of available IDTOKENS by scanning IDTOKEN directories 19

  20. Summary of Default Pathnames /etc/condor/passwords.d/ : Directory containing signing keys. Default signing key is in a file named "POOL" in this directory. Only readable/writeable by root. /etc/condor/tokens.d : Directory containing IDTOKEN files used by process with root access (HTCSS daemons, administrators with sudo). Only readable/writeable by root. ~/.condor/tokens.d : Directory in a user's home directory containing IDTOKEN files used by a process without root access (unprivileged users). Only readable/writeable by that user. All default path locations can be changed via configuration 20

  21. ADVANCED TOPICS 21

  22. Advanced Q&A How does a client securely present IDTOKENS to a remote server? The digital signature of the token is used as a shared secret to initiate a secure communication channel over the network (via the AKEP2 protocol). How can I perform Token Revocation? You could remove authorization of the identity, e.g., in the config put DENY_WRITE = todd@cm.my.org A classad constraint expression that can conditionally refuse tokens based on any attribute, such as identity, date range when issued, serial number. See examples in the IDTOKENS section of the HTCSS Manual: https://tinyurl.com/ygqsc94j You can remove the signing key file, which effectively invalidates all tokens signed with that key How does a client decide which token to use? If the tokens.d directory has multiple files, they are scanned in lexical order, and first token that was issued from the server's trust domain and signed by a key file still present on the server is selected. IDTOKENS are follow the JSON Web Token (JWT) standard. Why do I care? Is there an alternative to users doing scp or copy-n-paste of tokens? 22

  23. Slide courtesy of Brian Bockelman's talk "Security in HTCondor 9.0" at HTCondor Week 2021 v9.x 23

  24. Thank You! Follow us on Twitter! https://twitter.com/HTCondor This work is supported by NSF under Cooperative Agreement OAC-2030508 as part of the PATh Project. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF 24

Related


Installations and Commissioned APP Tutorial

Installations and Commissioned APP Tutorial

ivaan
Day 1: Autodesk Inventor Tutorial

Day 1: Autodesk Inventor Tutorial

graciemai
Professional Standards Management Information Dashboard - May 2022 Update

Professional Standards Management Information Dashboard - May 2022 Update

isaiah
libfabric: A Comprehensive Tutorial on High-Level and Low-Level Interface Design

libfabric: A Comprehensive Tutorial on High-Level and Low-Level Interface Design

faris
INCOSE Texas Gulf Coast Chapter April 2022 Monthly Meeting Highlights

INCOSE Texas Gulf Coast Chapter April 2022 Monthly Meeting Highlights

juelz
Interactive Tutorial on Degenerate Perturbation Theory: QuILT Development and Student Difficulties

Interactive Tutorial on Degenerate Perturbation Theory: QuILT Development and Student Difficulties

jac
Micro:bit Robot Entry Tutorial with YahBoom - Buzzer Singing Lesson

Micro:bit Robot Entry Tutorial with YahBoom - Buzzer Singing Lesson

uhtred
Step-by-Step Tutorial on Saving to Your Learner's Drive

Step-by-Step Tutorial on Saving to Your Learner's Drive

ealki
Financial System Journal Entries Tutorial

Financial System Journal Entries Tutorial

ayo_sta
SEFA ePledge Tutorial for New York State Employees

SEFA ePledge Tutorial for New York State Employees

yukikogh
Important Dates and Information for CUET (UG) 2022

Important Dates and Information for CUET (UG) 2022

watkins_i
Tutorial on Processing Slides and Embedding Animations for JACoW Team Meeting

Tutorial on Processing Slides and Embedding Animations for JACoW Team Meeting

dilo802
Python Review for Data Analytics Tutorial

Python Review for Data Analytics Tutorial

byrd_l
INCOSE Texas Gulf Coast Chapter (TGCC) May 2022 Monthly Meeting Highlights

INCOSE Texas Gulf Coast Chapter (TGCC) May 2022 Monthly Meeting Highlights

summerra
Micro:bit Robot Entry Tutorial - Advanced Lesson on Breathing Lamp with YahBoom (80 characters)

Micro:bit Robot Entry Tutorial - Advanced Lesson on Breathing Lamp with YahBoom (80 characters)

lanc_747
REST Interface for HORUS.AI Platform - Tutorial Highlights

REST Interface for HORUS.AI Platform - Tutorial Highlights

stockert_z
MongoDB Atlas Overview and Tutorial

MongoDB Atlas Overview and Tutorial

aaronj
Universally Composable Security: A Tutorial by Ran Canetti

Universally Composable Security: A Tutorial by Ran Canetti

kama_574
ClubDash Officer Tutorial

ClubDash Officer Tutorial

eva_kil
Online Adoption Tutorial for Course Material Submissions

Online Adoption Tutorial for Course Material Submissions

basi

More Related Content