Project

General

Profile

Feature #24250

scitoken support - factory schedds to CE's

Added by Dennis Box 6 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
03/30/2020
Due date:
% Done:

0%

Estimated time:
Stakeholders:
Duration:

Description

This is a follow-on to #23092 - add support for SciToken authentiction from factory schedds to entry point CE's.
Document changes to condor configuration needed to make this work.

History

#1 Updated by Dennis Box 6 months ago

Notes on using this feature.

  • factory condor needs to be a SciTokens supporting version (>8.9.1)
  • CE needs to be a SciTokens supporting version (>4.0.1)
    • fermicloud348.fnal.gov and
    • itb-ce2.chtc.wisc.edu were the CEs used for testing
  • SCITOKENS needs to be in the SEC_DEFAULT_AUTHENTICATION_METHODS for both condor(factory) and condor_ce (CE)
  • an entry in the condor_ce's condor_mapfile is needed to map a scitoken issuer to a user like so:
    SCITOKENS https://jobsub.fnal.gov osg 
    
    • this is an example of mapping scitokens issued by jobsub.fnal.gov to user 'osg'
    • The scitokens I used for this testing were generated using the python-scitokens package v1.2.2
    • I will generate tokens for the tester if they so desire
  • offsite CE's like itb.ce2.chtc.wisc.edu need to have iptables entries in the frontend configuration, or glideins will start but never connect back

#2 Updated by Dennis Box 6 months ago

  • Assignee changed from Dennis Box to Bruno Coimbra
  • Status changed from New to Feedback

Please see git branch v37/24250 for code to review



Also available in: Atom PDF