scitoken support - factory schedds to CE's
This is a follow-on to #23092 - add support for SciToken authentiction from factory schedds to entry point CE's.
Document changes to condor configuration needed to make this work.
#1 Updated by Dennis Box 2 months ago
Notes on using this feature.
- factory condor needs to be a SciTokens supporting version (>8.9.1)
- CE needs to be a SciTokens supporting version (>4.0.1)
- fermicloud348.fnal.gov and
- itb-ce2.chtc.wisc.edu were the CEs used for testing
- SCITOKENS needs to be in the SEC_DEFAULT_AUTHENTICATION_METHODS for both condor(factory) and condor_ce (CE)
- an entry in the condor_ce's condor_mapfile is needed to map a scitoken issuer to a user like so:
SCITOKENS https://jobsub.fnal.gov osg
- this is an example of mapping scitokens issued by jobsub.fnal.gov to user 'osg'
- The scitokens I used for this testing were generated using the python-scitokens package v1.2.2
- I will generate tokens for the tester if they so desire
- offsite CE's like itb.ce2.chtc.wisc.edu need to have iptables entries in the frontend configuration, or glideins will start but never connect back