Merge branch 'V23-branch' into V23_x-branch

htcondor · Oct 11, 2024 · 7e66478 · 7e66478
2 parents 9188b70 + 24f5b92
commit 7e66478
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 30 deletions.
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@
 # ------------------------------------------------------------------------------
 
 PACKAGE := htcondor-ce
-VERSION := 23.9.1
+VERSION := 23.10.1
 
 
 # ------------------------------------------------------------------------------

diff --git a/config/03-managed-fork-defaults.conf b/config/03-managed-fork-defaults.conf
@@ -9,8 +9,8 @@
 #
 ###############################################################################
 
-# Limit the number of jobs allowed by local universe
-START_LOCAL_UNIVERSE = TotalLocalJobsRunning + TotalSchedulerJobsRunning < 20
+# Disable local universe jobs
+START_LOCAL_UNIVERSE = false
 
-# Limit the number of jobs allowed by scheduler universe
-START_SCHEDULER_UNIVERSE = $(START_LOCAL_UNIVERSE)
+# Disable scheduler universe jobs
+START_SCHEDULER_UNIVERSE = false
diff --git a/config/03-managed-fork.conf b/config/03-managed-fork.conf
@@ -7,8 +7,8 @@
 #
 ###############################################################################
 
-# Limit the number of jobs allowed by local universe
-START_LOCAL_UNIVERSE = TotalLocalJobsRunning + TotalSchedulerJobsRunning < 20
+# Disable local universe jobs
+START_LOCAL_UNIVERSE = false
 
-# Limit the number of jobs allowed by scheduler universe
-START_SCHEDULER_UNIVERSE = $(START_LOCAL_UNIVERSE)
+# Disable scheduler universe jobs
+START_SCHEDULER_UNIVERSE = false
diff --git a/config/05-ce-auth-defaults.conf b/config/05-ce-auth-defaults.conf
@@ -44,8 +44,8 @@ ALLOW_NEGOTIATOR = $(SUPERUSERS)
 # Authentication settings
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS
 SEC_CLIENT_AUTHENTICATION_METHODS = FS, TOKEN, SCITOKENS, SSL
-SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
-SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
+SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
+SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
 COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
 COLLECTOR.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
 COLLECTOR.SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL

diff --git a/config/05-ce-collector-auth.conf b/config/05-ce-collector-auth.conf
@@ -26,7 +26,7 @@ COLLECTOR.ALLOW_ADVERTISE_MASTER = $(COLLECTOR.ALLOW_ADVERTISE_MASTER), $(USERS)
 
 # Allow the CE registry webapp to approve CE token requests.
 COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = FS,TOKEN
-COLLECTOR.ALLOW_ADMINISTRATOR=condorce_webapp@htcondor.org/localhost condorce_webapp@htcondor.org/$(FULL_HOSTNAME)
+COLLECTOR.ALLOW_ADMINISTRATOR=condorce_webapp@$(UID_DOMAIN)/localhost condorce_webapp@$(UID_DOMAIN)/$(FULL_HOSTNAME)
 
 # When requesting a token to register a new CE, only allow it to advertise a schedd.
 SEC_TOKEN_REQUEST_LIMITS = ADVERTISE_SCHEDD
diff --git a/rpm/htcondor-ce.spec b/rpm/htcondor-ce.spec
@@ -2,8 +2,8 @@
 #define gitrev osg
 
 Name: htcondor-ce
-Version: 23.9.1
-Release: 1%{?gitrev:.%{gitrev}git}%{?dist}
+Version: 23.10.1
+Release: 0.rc1%{?gitrev:.%{gitrev}git}%{?dist}
 Summary: A framework to run HTCondor as a CE
 BuildArch: noarch
 
@@ -260,26 +260,12 @@ getent passwd condorce_webapp >/dev/null || \
 %post
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
-if [ ! -e /etc/condor-ce/passwords.d/POOL ]; then
-    %{_datadir}/condor-ce/condor_ce_create_password >/dev/null 2>&1 || :
-fi
-
 %systemd_post condor-ce.service
 
 %post collector
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 %systemd_post condor-ce-collector.service condor-ce-collector-config.service
 
-if [ ! -e /etc/condor-ce/passwords.d/POOL ]; then
-    %{_datadir}/condor-ce/condor_ce_create_password >/dev/null 2>&1 || :
-fi
-
-autogenerated_token=/etc/condor-ce/webapp.tokens.d/50-webapp
-if [ ! -e $autogenerated_token ]; then
-    CONDOR_CONFIG=/etc/condor-ce/condor_config condor_token_create \
-                 -authz ADMINISTRATOR -identity condorce_webapp@htcondor.org > $autogenerated_token 2>&1 || :
-fi
-
 %preun
 %systemd_preun condor-ce.service
 
@@ -557,6 +543,10 @@ fi
 %{_localstatedir}/www/wsgi-scripts/htcondor-ce/htcondor-ce-registry.wsgi
 
 %changelog
+* Fri Oct 11 2024 Tim Theisen <tim@cs.wisc.edu> - 23.10.1-0.rc1
+- Fix cert subject parsing in condor_ce_host_network_check
+- Lock down HTCondor-CE IDTOKEN security
+
 * Thu Aug 08 2024 Tim Theisen <tim@cs.wisc.edu> - 23.9.1-1
 - Use new Job Router syntax by default
 - Update configuration files to work with HTCondor 23.9.1 and later

diff --git a/src/htcondorce/registry.py b/src/htcondorce/registry.py
@@ -96,7 +96,6 @@ def fetch_tokens(reqid: str, config: Config) -> Dict:
         args.append('-pool', pool)
     req_environ = dict(os.environ)
     req_environ.setdefault('CONDOR_CONFIG', '/etc/condor-ce/condor_config')
-    req_environ['_condor_SEC_CLIENT_AUTHENTICATION_METHODS'] = "TOKEN"
     req_environ['_condor_SEC_TOKEN_DIRECTORY'] = '/etc/condor-ce/webapp.tokens.d'
     process = subprocess.Popen(args, stderr=subprocess.PIPE,
         stdout=subprocess.PIPE, env=req_environ)
@@ -122,7 +121,6 @@ def approve_token(reqid: str, config: Config):
         args.append('-pool', pool)
     req_environ = dict(os.environ)
     req_environ.setdefault('CONDOR_CONFIG', '/etc/condor-ce/condor_config')
-    req_environ['_condor_SEC_CLIENT_AUTHENTICATION_METHODS'] = "TOKEN"
     req_environ['_condor_SEC_TOKEN_DIRECTORY'] = '/etc/condor-ce/webapp.tokens.d'
     process = subprocess.Popen(args, stderr=subprocess.PIPE,
         stdout=subprocess.PIPE, stdin=subprocess.PIPE, env=req_environ)