Download ppt - Zach Miller Computer Sciences Department University of Wisconsin-Madison [email protected] Securing Condor

Zach MillerComputer Sciences DepartmentUniversity of Wisconsin-Madison

[email protected]://www.cs.wisc.edu/condor

Securing Condor

www.cs.wisc.edu/condor

Overview

› Problems With Default Installation

› Security Policy Configuration

› Configuring Security Methods

› Conclusion and Questions


Problems With Default Installation

› Host-based granularity is too big Any user who can login to central

manager has “Administrator” privileges

Any user on a machine can evict the job on that machine via condor_vacate



› Most connections are NOT authenticated Queue management commands are. Daemon-to-daemon commands are

not. It is possible to send false information

to the collector and other denials of service



› Traffic is not encrypted or checksummed Possibility of someone eavesdropping

on your traffic, including files transferred to or from execute machine

Possibility of someone modifying your traffic without detection


Security Policy Configuration

› Condor provides many mechanisms to address the previous shortcomings: Many authentication methods Strong encryption Signed checksums for integrity



› Condor will negotiate security requirements and supported methods

clientserver

I want to submit a job

You must authenticate w/ kerberos

KERBEROSnormal submit protocol



Default PolicySEC_DEFAULT_ENCRYPTION = OPTIONALSEC_DEFAULT_INTEGRITY = OPTIONALSEC_DEFAULT_AUTHENTICATION = OPTIONALSEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD #UNIXSEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD #WIN32



Default Policy

Possible Policy ValuesNEVER do not allow this to happenOPTIONAL do not request it, but allow itPREFFERED request it, but do not require itREQUIRED this is mandatory

SEC_DEFAULT_ENCRYPTION = OPTIONALSEC_DEFAULT_INTEGRITY = OPTIONALSEC_DEFAULT_AUTHENTICATION = OPTIONALSEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD #UNIXSEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, KERBEROS, SSL, PASSWORD #WIN32



Y Y Y X

Y Y Y N

Y Y N N

X N N N

R P O N

Required

Preferred

Optional

Never

ClientPolicy

Server Policy

Policy Reconciliation


Security Policy ConfigurationVery Secure Policy

SEC_DEFAULT_ENCRYPTION = REQUIREDSEC_DEFAULT_INTEGRITY = REQUIREDSEC_DEFAULT_AUTHENTICATION = REQUIREDSEC_DEFAULT_AUTHENTICATION_METHODS = SSL

SSL CONFIGURATION LATER IN THIS TUTORIAL



Policy Reconciliation Example 1CLIENT POLICY

SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONALSEC_DEFAULT_AUTHENTICATION = OPTIONALSEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD

SERVER POLICYSEC_DEFAULT_ENCRYPTION = REQUIREDSEC_DEFAULT_INTEGRITY = REQUIREDSEC_DEFAULT_AUTHENTICATION = REQUIREDSEC_DEFAULT_AUTHENTICATION_METHODS = SSL

RECONCILED POLICYENCRYPTION = YESINTEGRITY = YESAUTHENTICATION = YESMETHODS = SSL



Policy Reconciliation Example 2CLIENT POLICY

SEC_DEFAULT_ENCRYPTION = PREFERRED SEC_DEFAULT_INTEGRITY = OPTIONALSEC_DEFAULT_AUTHENTICATION = REQUIREDSEC_DEFAULT_AUTHENTICATION_METHODS = SSL, GSI, KERBEROS, PASSWORD

SERVER POLICYSEC_DEFAULT_ENCRYPTION = NEVERSEC_DEFAULT_INTEGRITY = PREFERREDSEC_DEFAULT_AUTHENTICATION = OPTIONALSEC_DEFAULT_AUTHENTICATION_METHODS = FS,GSI,SSL

RECONCILED POLICYENCRYPTION = NOINTEGRITY = YESAUTHENTICATION = YESMETHODS = GSI,SSL



› As you can see, you may specify a different policy for each authorization level

Another Example PolicySEC_DEFAULT_ENCRYPTION = OPTIONALSEC_DEFAULT_INTEGRITY = PREFERREDSEC_DEFAULT_AUTHENTICATION = REQUIREDSEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, PASSWORD, SSL

SEC_READ_INTEGRITY = OPTIONALSEC_READ_AUTHENTICATION = OPTIONAL

SEC_CLIENT_INTEGRITY = OPTIONALSEC_CLIENT_AUTHENTICATION = OPTIONAL



› Possible values for authorization levels: CLIENT READ WRITE CONFIG ADMINISTRATOR OWNER DAEMON NEGOTIATOR



There is now a hierarchy of authorization:

READ

WRITE

DAEMONADMINISTRATOR

CONFIGOWNER

CLIENT

NEGOTIATOR



Once you have authenticated users, you may use a more fine-grained authorization list:

ALLOW_WRITE = [email protected]

ALLOW_WRITE = [email protected]/goose.cs.wisc.edu

ALLOW_WRITE = [email protected]/*.cs.wisc.edu



› Format of canonical username:user@domain/host

› One wildcard allowed in the user@domain portion, and one allowed in the host portion



› Usernames can now be mapped with regular expressions. Old GSI mapfile:

“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Zach Miller/[email protected]” [email protected]

“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Todd Tannenbaum/[email protected]” [email protected]

Etc.



› New mapfile applies to all types of authentication

› In your condor_config:

SEC_CANONICAL_MAPFILE = /path/to/mapfile

› Each line is a mapping rule



› Sample map file:

CLAIMTOBE .* nobody

FS (.*) \1

GSI Email=(.*) \1



› Review: The security policy determines which

types of security mechanism will be used for a given type of command:

SEC_ADMINISTRATOR_AUTHENTICATION = REQUIRED SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = GSI



› Review: The map file gives you a canonical

name from the authenticated user:GSI Email=(.*) \1

“/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin – Madison/O=Computer Sciences Department/OU=Condor Project/CN=Zach Miller/[email protected]”

[email protected]



› Review: The ALLOW_ and DENY_ lists control

the authorization of the canonical users:

ALLOW_WRITE = *@cs.wisc.edu, [email protected]

DENY_WRITE = *.evildomain.net


Configuring Security Methods

CLAIMTOBE is not configurable, and is meant for testing purposes only.

ANONYMOUS is also not configurable, and always sends the username “CONDOR_ANONYMOUS”



FS works by creating a file in /tmp, and checking to see who the owner of that file is.

FS_REMOTE is similar, but allows you to specify where to create the file, allowing you to use a directory on NFS or some other shared storage. This is specified like so:

FS_REMOTE_DIR = /shared/temp/space



NTSSPI uses Windows’ SSPI authentication. This requires that the username and password be the same on two machines that are authenticating to each other. There are no configuration options for this method.



GSI is the Globus Toolkit’s implementation of X.509. There are quite a number of configuration options for this which essentially specify which credentials to use, which to expect, and who is allowed to sign the credentials.



When using GSI, a user typically has a public key (certificate) and a private key that is encrypted with a password.

A temporary certificate, called a proxy, is created for use with condor:

% grid-proxy-init -cert zmiller.crt -key zmiller.keyYour identity: /C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Zach Miller/[email protected] GRID pass phrase for this identity:Creating proxy ............................................... Done



For the Condor daemons to use GSI authentication, however, they will need either a proxy or a private key with no password.

Proxies would need to be valid for a considerable length of time to be useful in this context, so usually a cert/keypair is used.



GSI_DAEMON_CERT = condor_cred.crt

GSI_DAEMON_KEY = condor_cred.key

Also, Condor needs to know the public key of any CA that signs certificates:

GSI_DAEMON_TRUSTED_CA_DIR=/path/to/keys



Typically, there is a “host credential” which is owned by root in:/etc/grid-security/host.crt

/etc/grid-security/host.key

And also a directory of signing keys in/etc/grid-security/certificates



Condor will use those defaults without any additional configuration, if it has root privilege to read the host key.

Alternatively, you can specify your own directory to hold the key files and the signing certificates by using:

GSI_DAEMON_DIRECTORY=~/globus/



Since GSI is currently available only on UNIX systems, we have also added support for OpenSSL.

It needs essentially the same information as GSI, which is specified in this case with a different set of configuration parameters:

AUTH_SSL_SERVER_CAFILEAUTH_SSL_SERVER_CADIRAUTH_SSL_SERVER_CERTFILEAUTH_SSL_SERVER_KEYFILEAUTH_SSL_CLIENT_CAFILEAUTH_SSL_CLIENT_CADIRAUTH_SSL_CLIENT_CERTFILEAUTH_SSL_CLIENT_KEYFILE



For both GSI and OpenSSL, you can use the openssl command line tool to create all the necessary keys and files.

For more detailed info on that, please see the openssl man page, or come to the security BOF Thursday @ 1:30.



KERBEROS is now available on both UNIX and Windows platforms

On UNIX, it authenticates again a KDC (Kerberos Domain Controller). On Windows, the Active Directory server fills this role.



For Kerberos, a user may need to run kinit if that is not part of the normal login process:

% kinit [email protected]

Password for [email protected]:

% klist

Ticket cache: FILE:/var/adm/krb5/tmp/tkt/tkt_24842_pid14957

Default principal: [email protected]

Valid starting Expires Service principal

04/24/06 12:01:07 05/24/06 12:01:07 krbtgt/[email protected]



The Condor daemons can use the “host credential” if they are running as root. The default keytab file is typically in /etc/v5srvtab

Alternatively, you can specify your own keytab file and server principal to use:

KERBEROS_SERVER_KEYTAB = /scratch/zmiller/keytab.zmillerKERBEROS_SERVER_PRINCIPAL = zmiller/[email protected]



PASSWORD authentication also works on both UNIX and Windows, although the interface is somewhat different.

On Windows, the password is stored in a secure part of the registry.

On UNIX, the password is stored in a file specified by:SEC_PASSWORD_FILE = /path/to/file



To set the pool password, use the condor_store_cred command:

condor_store_cred add –p password


Conclusion

Now you have seen a general overview of the different methods that Condor supports, how to configure them, and how to set policy so they get used where you want them.


Questions?

Also, security BOF Thursday @ 2:30!