Restricted HTCondor authentication to exclude unauthenticated@ beside anonymous@
The anonymous mapping is the result of a catch-all line in the mapfile. With the addition of different authentication types, if they are not in the mapfile condor will default to unauthenticated if the authentication is valid but not in the mapfile, so it is wise to add this mapping to the DENY_... rules.
This was recommended by @rynge via Slack.
The security risk when enabling SSL is not in GlideinWMS since the mapfile includes:
SSL (.*) anonymous
GSI (.*) anonymous
FS (.*) \1
But this change is a good hardening of the configuration.
Restricted HTCondor authentication to exclude unauthenticated@ beside anonymous@
The anonymous mapping is the result of a catch-all line in the mapfile. With the addition of different authentication types, if they are not in the mapfile condor will default to unauthenticated if the authentication is valid but not in the mapfile, so it is wise to add this mapping to the DENY_... rules.
This was recommended by @rynge via Slack. The security risk when enabling SSL is not in GlideinWMS since the mapfile includes:
But this change is a good hardening of the configuration.
Related HTCondor tickets: