Authentication in Condor

Authentication in Condor is flexible and robust, but it must be properly configured. Authentication allows a server process (not necessarily a process on the central manager) to confirm the identity and therefore validity of a client processes. Fancy forms of authentication are supported by Condor, such as certificate-based SSL authentication and Kerberos, but the basic forms of authentication are local and remote filesystem methods and password-based authentication.

Local filesystem authentication is perhaps the strongest form of username-based authentication when administrative access to a computer is properly limited. It is performed when both the server and client processes are running on the same physical machine. This form of authentication will only be performed if the client's SEC_CLIENT_AUTHENTICATION_METHODS configuration variable and the server's SEC_DEFAULT_AUTHENTICATION_METHODS both list “FS” and they mutually agree to perform this form of authentication. If so, the client will write a file to the /tmp/ folder. Assuming the client does not have root access¹⁾, the file's ownership will be that of the effective user and group IDs. The server process then checks the user and group ownership against the user accounts of the local computer and/or user domain. If the ownership is what the server process expected, the server considers the client authenticated and uses the client's credentials to decide if the client has the proper permissions to have its request fulfilled by the server. The form of the credentials are in the form <username>@<hostname>/<domain>. Thus, if a client process's “<username>@<hostname>/<domain>” is listed in the appropriate ALLOW_* configuration variable, the client's request is fulfilled by the server.

Remote filesystem authentication

Password-based authentication

Password authentication in Condor has its downsides.