Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] Documentation about tokens workflows
- Date: Fri, 05 May 2023 16:55:25 +0000
- From: Marco Mambelli <marcom@xxxxxxxx>
- Subject: [HTCondor-users] Documentation about tokens workflows
Greetings, I'm looking for detailed documentation about the token authentication workflows (IDTOKENS, SciTokens ...).
Specifically I read the authentication section in the manual (https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#token-authentication and more)
and I have some questions especially about when SSL authentication and X509 certificates are required.
1. Seems that once the client has an IDTOKEN the SSL authentication and client or server certificates are not needed. Is this correct?
How is authentication (a confidential channel) bootstrapped?
2. Is the above the same also for daemon-to-daemon connections?
E.g. a schedd or startd talking to a collector where I'm assuming the collector to be the IDTOKEN issuer and the only server w/ the password to issue/decode tokens.
3. In the daemon to daemon communication section (https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#daemon-to-daemon-connections-daemon-authentication) I read about limitations of some features if the server does not have the password to verify the tokens. I have to verify with the latest HTCSS, I did not remember these.
E.g. Can a schedd do a condor_ssh_to_job also without having the POOL password (only the collector has the password to sign and verify the idtokens)?
4. SSL and at least a server certificate are needed when a token is retrieved (condor_token_request, condor_token_fetch).
Is the retrieval (communication channel) secure also without a client certificate?
I'm not assuming a secure/private network and I know that the requestor is unauthenticated, I'm asking form the client point of view if it can use that token to start an encrypted communication with the server.
5. With SciTokens or WLCG IAM I think the server must have a valid host/server certificate also if the client has already the token. Is this because it relies on an external verification system?
Does the client need a trusted certificate as well? Only when requesting a token?
6. Certificates are ok as long as they are recognized by both the server and client involved in the communication (or all the parties if there is a multi-party interaction).
If some certificates (e.g. Let's Encrypt certificates) are not working is because at least one of the party involved (client, CE, token verificator, ...) is not accepting them. Correct?
Feel free to point me to documents (white papers, articles, ... ) for some of the answers.
Or PM me if the information is confidential.
Thank you,
Marco Mambelli