Feature #24250
scitoken support - factory schedds to CE's
Start date:
03/30/2020
Due date:
% Done:
0%
Estimated time:
Stakeholders:
Description
This is a follow-on to #23092 - add support for SciToken authentiction from factory schedds to entry point CE's.
Document changes to condor configuration needed to make this work.
History
#1 Updated by Dennis Box 6 months ago
Notes on using this feature.
- factory condor needs to be a SciTokens supporting version (>8.9.1)
- CE needs to be a SciTokens supporting version (>4.0.1)
- fermicloud348.fnal.gov and
- itb-ce2.chtc.wisc.edu were the CEs used for testing
- SCITOKENS needs to be in the SEC_DEFAULT_AUTHENTICATION_METHODS for both condor(factory) and condor_ce (CE)
- an entry in the condor_ce's condor_mapfile is needed to map a scitoken issuer to a user like so:
SCITOKENS https://jobsub.fnal.gov osg
- this is an example of mapping scitokens issued by jobsub.fnal.gov to user 'osg'
- The scitokens I used for this testing were generated using the python-scitokens package v1.2.2
- I will generate tokens for the tester if they so desire
- offsite CE's like itb.ce2.chtc.wisc.edu need to have iptables entries in the frontend configuration, or glideins will start but never connect back
#2 Updated by Dennis Box 6 months ago
- Assignee changed from Dennis Box to Bruno Coimbra
- Status changed from New to Feedback
Please see git branch v37/24250 for code to review