Bug #25504

factory should not check condor_tarball version prior to attempting SciTokens authentication to CE

Added by Dennis Box 2 months ago. Updated about 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
First Occurred:
Occurs In:




The token hackathon of Feb 05 2021 revealed a bug in scitoken authentication chain assumptions, which borrowed from the previously implemented IDTokens auth chain.

With IDTokens, the intent is to authenticate from running glideins back to the vofrontend collector. The frontend generates unique IDTokens for each glidein site so that glideins from site can be disabled by invalidating a particular token. The frontend checks that glideins for a particular site can use IDTokens by checking the condor tarball version prior to generating one and passing it on.

With SciTokens, the intent is to authenticate to the CE from the factory on behalf of the frontend, which has passed its authorizing Scitoken to the factory. Multiple Scitokens for each CE are not needed. What is needed is the CE to be configured to accept the frontends Scitoken.

The SciToken, or SciTokens that the frontend presents should be specified in the frontend.xml. The file name need not match any particular glidein site, but it is forwarded to the factory to be used to authenticate with the CEs. If SciTokens authentication fails at this point the factory should fall back to using GSI authentication.
Related issue: #25200 Consider tokens for glidein submission the same way as grid_proxy, ssh keys


#1 Updated by Dennis Box 2 months ago

  • Assignee changed from Dennis Box to Marco Mambelli
  • Status changed from New to Feedback

#2 Updated by Marco Mambelli about 2 months ago

  • Assignee changed from Marco Mambelli to Dennis Box

#3 Updated by Dennis Box about 2 months ago

  • Status changed from Feedback to Resolved

feedback implemented and merged to branch_v3_7

Also available in: Atom PDF