Feature #21324

Handle new GCE credential format

Added by Parag Mhashilkar over 2 years ago. Updated 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:




From: Steven C Timm
Date: Wednesday, November 7, 2018 at 9:57 AM
To: glideinwms-support
Subject: Need to discuss new google credential handling features of HTCondor

within the last year, Google Compute Engine shifted the way it stored its credentials from being a flat file in which
private key (long term) and access token (1 hr expiration) were stored together, to storing them in a pair of
sqlite databases, one for the private keys and one for the access tokens. For the past 5-6 months we have
been running a cron script which extracts the two parts and munges them together into a single auth_file
(the GCE_auth_file) so that HTCondor will know what to do with them. This file has been passed as
type auth_file from the frontend to the factory.

Now HTcondor from 8.7.9 and greater allows to parse the native sqlite db form of credentials. Only
problem is that we have no way for the frontend to pass such a set of credentials to the factory.
That leaves us with three options--park the credentials on the factory directly, teach glideinwms how to pass
such a credential file, or keep on extracting the credentials as we were doing. This is not
high urgency because we can continue with the existing way, although we may have to fix a bug.
But given we are likely to keep doing business with google in the long term, I would like to discuss the best way to handle this
for credential secret passing in the glideinwms.


Steve Timm

Related issues

Related to GlideinWMS - Feature #24165: Refactor credential handlingNew03/10/2020


#1 Updated by Marco Mambelli over 1 year ago

  • Target version changed from v3_5_x to v3_6_x

#2 Updated by Marco Mambelli 5 months ago

  • Target version changed from v3_6_x to v3_7_x
  • Assignee changed from Parag Mhashilkar to Dennis Box

#3 Updated by Marco Mambelli 5 months ago

Also available in: Atom PDF