Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Published byMonica Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences."— Presentation transcript:

1 HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller (zmiller@cs.wisc.edu) Center for High Throughput Computing Department of Computer Sciences University of Wisconsin-Madison

2 › What are the threats? › Who do you trust? › What are the mechanisms? › Other security concerns? 2 Overview

3 › The purpose of HTCondor is to accept arbitrary code from users and run it on a large number of machines Threats 3

4 › The purpose of HTCondor is to accept arbitrary code from users and run it on a large number of machines › The purpose of a botnet is to take arbitrary code and run it on a large number of machines Threats 4

5 › So what’s the difference? › You wish to prevent unauthorized access › Ultimately, it just comes down to who can use your pool, and how they can use it. Threats 5

6 Basic Concepts › “Who can use your pool” is really two concepts: › The “Who” is authentication › The “can use” is authorization

7 Basic Concepts › Authentication is finding out WHO some entity is. › How is this done?  Common methods: Present a secret that only you should know Perform some action that only you can do Present a credential that only you could have

8 Basic Concepts › Authorization is deciding what someone is allowed to do. › You must know who they are before you can decide this!

9 Basic Concepts › I’m using “they” pretty loosely here. › “They” could be:  A user  A machine  An agent/daemon/service

10 Basic Concepts › In the context of an HTCondor pool:  You want only machines that you trust to be in the pool  You want only people you trust to submit jobs

11 › HTCondor relies on trusting the “root” user of a machine › If this is compromised, all bets are off › HTCondor daemons trust each other › You need to trust your friendly HTCondor administrator Assumptions of Trust 11

12 › How about users? › HTCondor places some restrictions on users:  zmiller cannot submit, remove, or manipulate jobs belonging to another user › But ”bad” users can still cause problems  Running fork bomb: while(1) { fork() }  Intentionally interfering with the system Assumptions of Trust 12

13 › So, users are trusted to some degree › Preventing every possible bad behavior makes the system too cumbersome for good users  Security is always a balancing act with usability › Decide how much you want to prevent versus punish Assumptions of Trust 13

14 › SUBMIT_REQUIREMENT allows the administrator to restrict what jobs are able to enter the queue › Can be used to prevent users from lying about what groups they belong to: SUBMIT_REQUIREMENT_NAMES = GROUP1 SUBMIT_REQUIREMENT_GROUP1= (Accounting_Group != “group1”) || (Accounting_Group == “group1” && (Owner==“zmiller” || Owner==“tannenba”)) SUBMIT_REQUIREMENT_GROUP1_REASON=“User not in group1” Restricting Users 14

15 › SUBMIT_REQUIREMENT allows the administrator to restrict what jobs are able to enter the queue › Can be used to allow only certain executable files, number of CPUs requested for a job, anything else that is part of the Job ClassAd Restricting Users 15

16 Authentication › When users submit jobs, HTCondor authenticates them › The HTCondor SCHEDD daemon now “owns” the jobs, and acts on their behalf.

17 Authentication › So how can we trust the SCHEDD? › Daemon-to-daemon authentication

18 Authentication › For a secure pool, both users and HTCondor daemons must authenticate themselves › HTCondor supports several mechanisms:  File System  Password  Kerberos  SSL  GSI

19 › In addition to authenticating network connections, you may also wish to use: › Integrity Checks (MD5)  Allows HTCondor to know if traffic has been tampered with › Encryption (3DES, Blowfish)  Allows HTCondor to transmit encrypted data so it cannot be spied on while in transit Other Security Mechanisms 19

20 SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = Kerberos SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED Example “Strong” Configuration 20

21 › When first contacting each other, HTCondor daemons have a short negotiation to find out which mechanisms are support and what features are required for the connection Security Negotiation 21 client server I want to submit a job You must authenticate w/ kerberos KERBEROS normal submit protocol

22 Security Negotiation › Policy Reconciliation Example: CLIENT POLICY SEC_DEFAULT_ENCRYPTION = OPTIONAL SEC_DEFAULT_INTEGRITY = OPTIONAL SEC_DEFAULT_AUTHENTICATION = OPTIONAL SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI, KERBEROS, SSL, PASSWORD SERVER POLICY SEC_DEFAULT_ENCRYPTION = REQUIRED SEC_DEFAULT_INTEGRITY = REQUIRED SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = SSL RECONCILED POLICY ENCRYPTION = YES INTEGRITY = YES AUTHENTICATION = YES METHODS = SSL

23 › I’m going to skip the detailed configuration of each particular security mechanism. › Security is not one-size fits all › If you are interested in details, please schedule some “office hours” with me to discuss. Security Configuration 23

24 › Are your condor_config files secured? › They should be owned and only modifiable by root. › If you use a config directory, make sure only root can create files in it Configuration Security 24

25 › HTCondor can allow configuration changes using a command-line tool:  condor_config_val –set Name Value › However, this behavior is off by default and needs to be enabled on a case-by-case basis for each config parameter… use carefully only if you really need it Configuration Security 25

26 › HTCondor typically runs “as root” › Why?  Impersonating users  Process isolation  Reading secure credentials › When it isn’t actively using root, it switches effective UID to another user (“condor”) HTCondor Privilege 26

27 › HTCondor will never launch a user job as root. There is a “circuit breaker” at the lowest level to prevent it. › If not using system credentials, the Central Manager can run without root priv › Let’s examine some different Startd configurations HTCondor Privilege 27

28 › Startds have a few different options for running jobs: › Run jobs as the submitting user › Run jobs as the user “nobody”  Allows jobs to interfere with one another › Run jobs as a dedicated user per slot  Keeps jobs running as a low-privilege user  Isolates jobs from one another  Makes it easy to clean up after a job StartD Configurations 28

29 › Allows HTCondor daemons to be run without root privilege, yet running jobs can still assume the UID of the submitting user › Uses GSI credentials to authenticate › Very useful for glidein jobs glexec 29

30 › Even if that admin has not required encryption for all network connections, user jobs can specify per-file for both input and output if the files should be encrypted:  Encrypt_Input_Files = file1, *.dat  Encrypt_Output_Files = data.private Encrypted File Transfer 30

31 › If you are using Linux with ecryptfs installed, you can have HTCondor encrypt the execute directory on disk, offering extra protection of sensitive data. › Can be enabled pool-wide by the admin:  ENCRYPT_EXECUTE_DIRECTORY = True › Per-job in the submit file:  Encrypt_Execute_Directory = True Encrypt Execute Directory 31

32 › HTCondor has been assessed by an independent research group. › That was many years ago. Another audit will be coming “soon” › Our vulnerability reporting process is documented and vulnerability reports publicly available: › http://research.cs.wisc.edu/htcondor/security/ http://research.cs.wisc.edu/htcondor/security/ Vulnerabilities 32

33 › Schedule “office hours” this week › Email the htcondor-users mailing list and if your question is security related I will (likely) respond › Email me directly Questions? 33

Download ppt "HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences."

Similar presentations

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.

Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
Operating System Security

Operating System Security
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.

Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
With TimeCard appointments are tagged with information that converts them into time sheets. This way users can report time and expenses from their Outlook.

With TimeCard appointments are tagged with information that converts them into time sheets. This way users can report time and expenses from their Outlook.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.

Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2007 Signed.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license

HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license
Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Similar presentations

Ads by Google