Project

General

Profile

Feature #24250

scitoken support - factory schedds to CE's

Added by Dennis Box 8 months ago. Updated 23 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
03/30/2020
Due date:
% Done:

0%

Estimated time:
Stakeholders:

OSG

Duration:

Description

This is a follow-on to #23092 - add support for SciToken authentiction from factory schedds to entry point CE's.
Document changes to condor configuration needed to make this work.

History

#1 Updated by Dennis Box 8 months ago

Notes on using this feature.

  • factory condor needs to be a SciTokens supporting version (>8.9.1)
  • CE needs to be a SciTokens supporting version (>4.0.1)
    • fermicloud348.fnal.gov and
    • itb-ce2.chtc.wisc.edu were the CEs used for testing
  • SCITOKENS needs to be in the SEC_DEFAULT_AUTHENTICATION_METHODS for both condor(factory) and condor_ce (CE)
  • an entry in the condor_ce's condor_mapfile is needed to map a scitoken issuer to a user like so:
    SCITOKENS https://jobsub.fnal.gov osg 
    
    • this is an example of mapping scitokens issued by jobsub.fnal.gov to user 'osg'
    • The scitokens I used for this testing were generated using the python-scitokens package v1.2.2
    • I will generate tokens for the tester if they so desire
  • offsite CE's like itb.ce2.chtc.wisc.edu need to have iptables entries in the frontend configuration, or glideins will start but never connect back

#2 Updated by Dennis Box 8 months ago

  • Assignee changed from Dennis Box to Bruno Coimbra
  • Status changed from New to Feedback

Please see git branch v37/24250 for code to review

#3 Updated by Dennis Box 24 days ago

  • Status changed from Feedback to Resolved

#4 Updated by Marco Mambelli 23 days ago

  • Stakeholders updated (diff)

#5 Updated by Marco Mambelli 23 days ago

  • Assignee changed from Bruno Coimbra to Dennis Box

Also available in: Atom PDF