diff --git a/Makefile b/Makefile index fa1d47851..236a771cf 100644 --- a/Makefile +++ b/Makefile @@ -138,9 +138,8 @@ CE_DEFAULT_CONFIG_FILES := \ contrib/apelscripts/50-ce-apel-defaults.conf CE_MAP_FILES := \ - config/mapfiles.d/10-gsi.conf \ + config/mapfiles.d/10-ssl.conf \ config/mapfiles.d/10-scitokens.conf \ - config/mapfiles.d/50-gsi-callout.conf \ config/mapfiles.d/90-ban.conf CE_CONDOR_CONFIG_FILES := \ diff --git a/config/01-ce-auth.conf b/config/01-ce-auth.conf index 23e067288..6fda07e48 100644 --- a/config/01-ce-auth.conf +++ b/config/01-ce-auth.conf @@ -10,7 +10,7 @@ # By default, regular expressions in the second field of HTCondor-CE # mapfiles must be enclosed with '/'. For exmaple: # -# GSI /(.*)/ GSS_ASSIST_GRIDMAP +# SSL /(.*/CN=Jane)/ jane # # To restore the previous behavior where the second field is enclosed # in double-quotes and they are all treated as potential regular diff --git a/config/01-common-auth-defaults.conf b/config/01-common-auth-defaults.conf index 2e42f3a81..9126fdafd 100644 --- a/config/01-common-auth-defaults.conf +++ b/config/01-common-auth-defaults.conf @@ -15,7 +15,7 @@ use security:recommended_v9_0 # Pool password directory for the CE and collector. SEC_PASSWORD_DIRECTORY = /etc/condor-ce/passwords.d -# GSI settings +# Authentication settings CERTIFICATE_MAPFILE=/etc/condor-ce/condor_mapfile # Alter SSL settings to work with both standard and grid file locations diff --git a/config/05-ce-collector-auth.conf b/config/05-ce-collector-auth.conf index 8448740bb..eb8528a04 100644 --- a/config/05-ce-collector-auth.conf +++ b/config/05-ce-collector-auth.conf @@ -10,14 +10,8 @@ ############################################################################### # Allow site CEs to advertise to the central collector via SSL (SOFTWARE-3939) -if version > 9.0.6 - # 9.0.6 includes AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE (HTCONDOR-236) - COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL, GSI - COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL, GSI -else - COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = GSI, SSL - COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = GSI, SSL -endif +COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL +COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL # Allow CEs and XCache hosts not in the grid-mapfile to advertise to the central collector COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(COLLECTOR.ALLOW_ADVERTISE_SCHEDD), $(UNMAPPED_USERS), $(USERS) diff --git a/config/05-ce-view-defaults.conf b/config/05-ce-view-defaults.conf index c75a2903e..166144284 100644 --- a/config/05-ce-view-defaults.conf +++ b/config/05-ce-view-defaults.conf @@ -51,7 +51,7 @@ else # CE View drops privs after startup to the condor user, which doesn't # have access to the host key for auth. Use FS auth instead. CEVIEW.SEC_CLIENT_AUTHENTICATION_METHODS = FS - MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI + MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS endif # Cherrypy does not respect SIGTERM signals from the master, so kill it (and everything else) quickly diff --git a/config/condor-ce b/config/condor-ce index 161f4a7ad..931eeceff 100644 --- a/config/condor-ce +++ b/config/condor-ce @@ -15,10 +15,6 @@ # /opt/condor # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH -# Example: Have GSI authorization use a different plugin for Condor than the -# rest of the system. -# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf - # Example: Have the HTCondor-CE use a different hostname from the rest of # the system. # export CONDORCE_HOSTNAME=condorce.example.com diff --git a/config/condor-ce-collector b/config/condor-ce-collector index 3b57a1058..b57686978 100644 --- a/config/condor-ce-collector +++ b/config/condor-ce-collector @@ -15,10 +15,6 @@ # /opt/condor # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH -# Example: Have GSI authorization use a different plugin for Condor than the -# rest of the system. -# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf - # Example: Have the HTCondor-CE collector use a different hostname from the rest of # the system. # export CONDORCE_HOSTNAME=condorce.example.com diff --git a/config/mapfiles.d/10-gsi.conf b/config/mapfiles.d/10-ssl.conf similarity index 77% rename from config/mapfiles.d/10-gsi.conf rename to config/mapfiles.d/10-ssl.conf index 8fc9471c0..9d37fb8be 100644 --- a/config/mapfiles.d/10-gsi.conf +++ b/config/mapfiles.d/10-ssl.conf @@ -6,8 +6,8 @@ # ############################################################################### -# Using GSI authentication for certificates requires the issuer CAs to be -# installed in /etc/grid-security/certificates. If you would also like to +# Using SSL authentication for IGTF certificates requires the issuer CAs to +# be installed in /etc/grid-security/certificates. If you would also like to # authenticate VOMS attributes, *.lsc files should be installed in # /etc/grid-security/vomsdir/ @@ -16,16 +16,16 @@ # with '\/') with the Distinguished Name (DN) of the incoming user certificate # and the unix account under which the job should run, respectively: # -# GSI // +# SSL // # VOMS attributes can also be used for mapping: # -# GSI /,,,...,/ +# SSL /,,,...,/ # The second field should be a Perl Compatible Regular Expression (PCRE), thus # allowing you to accept any DN with a given VOMS FQAN. For example, to map any # GLOW certificate with the 'htpc' role to the 'glow' user, add a line that # looks like the following: # -# GSI /.*,\/GLOW\/Role=htpc.*/ glow +# SSL /.*,\/GLOW\/Role=htpc.*/ glow # diff --git a/config/mapfiles.d/50-gsi-callout.conf b/config/mapfiles.d/50-gsi-callout.conf deleted file mode 100644 index fa49f58ec..000000000 --- a/config/mapfiles.d/50-gsi-callout.conf +++ /dev/null @@ -1,12 +0,0 @@ -############################################################################### -# -# HTCondor-CE authentication mapping for GSI callouts -# -# This file will NOT be overwritten upon RPM upgrade. -# -############################################################################### - -# The special token GSS_ASSIST_GRIDMAP indicates one should use the Globus Toolkit -# callout mechanism (which may involve plugins such as LCMAPS or Argus). -# Comment this out if you are not using a Globus Toolkit callout for mappings -GSI /(.*)/ GSS_ASSIST_GRIDMAP diff --git a/rpm/htcondor-ce.spec b/rpm/htcondor-ce.spec index a802d5679..7a1d00a25 100644 --- a/rpm/htcondor-ce.spec +++ b/rpm/htcondor-ce.spec @@ -303,9 +303,8 @@ getent passwd condorce_webapp >/dev/null || \ %config(noreplace) %{_sysconfdir}/condor-ce/config.d/03-managed-fork.conf %config(noreplace) %{_sysconfdir}/sysconfig/condor-ce -%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-gsi.conf +%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-ssl.conf %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-scitokens.conf -%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/50-gsi-callout.conf %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/90-ban.conf %{_datadir}/condor-ce/config.d/01-ce-audit-payloads-defaults.conf diff --git a/src/condor_ce_config_val b/src/condor_ce_config_val index a2bd72658..34c207f21 100755 --- a/src/condor_ce_config_val +++ b/src/condor_ce_config_val @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_config_val "$@" diff --git a/src/condor_ce_history b/src/condor_ce_history index 2104244bb..41da06d06 100755 --- a/src/condor_ce_history +++ b/src/condor_ce_history @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_history "$@" diff --git a/src/condor_ce_hold b/src/condor_ce_hold index 2bd034ea1..5cecb1f7a 100755 --- a/src/condor_ce_hold +++ b/src/condor_ce_hold @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_hold "$@" diff --git a/src/condor_ce_job_router_info b/src/condor_ce_job_router_info index 165d0bc53..e0734cc5e 100755 --- a/src/condor_ce_job_router_info +++ b/src/condor_ce_job_router_info @@ -7,7 +7,6 @@ missing_tool() } . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null CONDOR_BIN_DIR=$(/usr/bin/dirname $(/usr/bin/which condor_version 2> /dev/null ) 2> /dev/null ) if [ -z "$CONDOR_BIN_DIR" ]; then missing_tool diff --git a/src/condor_ce_off b/src/condor_ce_off index d1e74a5af..08c7b12bf 100755 --- a/src/condor_ce_off +++ b/src/condor_ce_off @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_off "$@" diff --git a/src/condor_ce_on b/src/condor_ce_on index f415a795f..e442090a1 100755 --- a/src/condor_ce_on +++ b/src/condor_ce_on @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_on "$@" diff --git a/src/condor_ce_ping b/src/condor_ce_ping index 6a2fa95e3..746aee3c2 100755 --- a/src/condor_ce_ping +++ b/src/condor_ce_ping @@ -1,7 +1,6 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_ping "$@" diff --git a/src/condor_ce_q b/src/condor_ce_q index 2e63b6abf..4cbbc36d6 100755 --- a/src/condor_ce_q +++ b/src/condor_ce_q @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_q "$@" diff --git a/src/condor_ce_qedit b/src/condor_ce_qedit index 4131cbdb8..ad0103a38 100755 --- a/src/condor_ce_qedit +++ b/src/condor_ce_qedit @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_qedit "$@" diff --git a/src/condor_ce_reconfig b/src/condor_ce_reconfig index e27a5a8c8..0a4760c7c 100755 --- a/src/condor_ce_reconfig +++ b/src/condor_ce_reconfig @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_reconfig "$@" diff --git a/src/condor_ce_release b/src/condor_ce_release index f6e7e54f4..52aa77f53 100755 --- a/src/condor_ce_release +++ b/src/condor_ce_release @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_release "$@" diff --git a/src/condor_ce_reschedule b/src/condor_ce_reschedule index 6c7690ac3..a1b8f8458 100755 --- a/src/condor_ce_reschedule +++ b/src/condor_ce_reschedule @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_reschedule "$@" diff --git a/src/condor_ce_restart b/src/condor_ce_restart index caf54b02a..68801831e 100755 --- a/src/condor_ce_restart +++ b/src/condor_ce_restart @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_restart "$@" diff --git a/src/condor_ce_rm b/src/condor_ce_rm index f87848146..9a9c47962 100755 --- a/src/condor_ce_rm +++ b/src/condor_ce_rm @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_rm "$@" diff --git a/src/condor_ce_router_q b/src/condor_ce_router_q index a7fc81a1d..9fcf7db61 100755 --- a/src/condor_ce_router_q +++ b/src/condor_ce_router_q @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_router_q -S "$@" diff --git a/src/condor_ce_run b/src/condor_ce_run index 5503b0a4f..57f8824c6 100755 --- a/src/condor_ce_run +++ b/src/condor_ce_run @@ -234,7 +234,7 @@ def main(): opts, args = parse_opts() if opts.remote: os.environ.setdefault("CONDOR_CONFIG", "/etc/condor-ce/condor_config") - os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS') + os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS') if len(args) < 2: print("Usage: condor_ce_run [arg1] [arg2] [...]") diff --git a/src/condor_ce_status b/src/condor_ce_status index 0ea2ee315..39073a840 100755 --- a/src/condor_ce_status +++ b/src/condor_ce_status @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_status "$@" diff --git a/src/condor_ce_store_cred b/src/condor_ce_store_cred index 139344127..48b4797ca 100755 --- a/src/condor_ce_store_cred +++ b/src/condor_ce_store_cred @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_store_cred "$@" diff --git a/src/condor_ce_submit b/src/condor_ce_submit index afdcb3ae3..31dd88fbb 100755 --- a/src/condor_ce_submit +++ b/src/condor_ce_submit @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_submit "$@" diff --git a/src/condor_ce_trace b/src/condor_ce_trace index bf5d14bb0..5d7d26cc5 100755 --- a/src/condor_ce_trace +++ b/src/condor_ce_trace @@ -332,7 +332,7 @@ def main(): raise ce.CondorRunException('ERROR: Could not find CE schedd at %s.\n' % job_info['schedd_name'] + \ 'Verify that the Scheduler daemon is up with `condor_ce_status -any`.') - os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS') + os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS') check_authz(coll_ad, schedd_ad) try: job_info.update(ce.generate_job_files()) diff --git a/src/condor_ce_transform_ads b/src/condor_ce_transform_ads index 27b1148cb..746530bea 100755 --- a/src/condor_ce_transform_ads +++ b/src/condor_ce_transform_ads @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_transform_ads "$@" diff --git a/src/condor_ce_upgrade_check b/src/condor_ce_upgrade_check index c2a8aea6f..8e2acba09 100755 --- a/src/condor_ce_upgrade_check +++ b/src/condor_ce_upgrade_check @@ -1,5 +1,4 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null exec condor_upgrade_check -ce "$@" diff --git a/src/condor_ce_version b/src/condor_ce_version index 22bf31fbd..f3bf2d05c 100755 --- a/src/condor_ce_version +++ b/src/condor_ce_version @@ -1,7 +1,6 @@ #!/bin/sh . /usr/share/condor-ce/condor_ce_env_bootstrap -export GSI_AUTHZ_CONF=/dev/null echo "\$HTCondorCEVersion: $(condor_ce_config_val HTCondorCEVersion | tr -d \") \$" exec condor_version "$@"