Hi Benoit,
I believe you are correct about this code not looking at the correct path for the mark file. The good news is that this code is redundant, the condor_credd is in charge of sweeping the credentials (credmon_sweep_creds is the function referenced in the condor_credd code that handles this, if you're curious). I will plan on removing this code from the OAuth credmon...
...unless you are indeed finding that credentials are not being properly swept by the credd. In which case, it would be easy to fix the redundant code, but would also imply a bug in the credd that we should also look into.
Thanks for the detailed report!
Jason
Dear all,
I understand that a markfile is used to take the decision to remove
tokens when the markfile lifetime exceeds some threshold.
o) This is used in the functions "should_delete" and "delete_tokens"
in the OAuth Credential Monitor [1].
In these functions, the markfile name is defined as:
mark_path = os.path.join(self.cred_dir, username, token_name +
'.mark') [convention 1]
following the same convention as for the ".top" and ".use" tokens.
o) The markfile, if I am correct, is created in the schedd [2] via:
auto_free_ptr
cred_dir_oauth(param("SEC_CREDENTIAL_DIRECTORY_OAUTH"));
....
credmon_mark_creds_for_sweeping(cred_dir_oauth,
owner_info.Name());Â [convention 2]
with "credmon_mark_creds_for_sweeping(const char * cred_dir,
const char* user)" defined in the credmon interface [3].
o) The first convention will result in e.g.:
SEC_CREDENTIAL_DIRECTORY_OAUTH/username/token_name.mark
while the second convention will result in:
SEC_CREDENTIAL_DIRECTORY_OAUTH/username.mark
o) Making a test, I can indeed find on my submit node:
/var/lib/condor/mytoken_credentials/benoit_roland.mark
while the OAuth Credential Monitor is looking for:
/var/lib/condor/mytoken_credentials/benoit_roland/helmholtz.mark
As a result, the markfile is not found, and the ".top", ".use" and
".mark" files are not deleted after expiration of the markfile.
Am I missing something, or are my observations correct?
Thanks a lot in advance for your help!
Cheers,
Benoit
[1]
src/condor_credd/condor_credmon_oauth/credmon/CredentialMonitors/OAuthCredmon.py
[2] src/condor_schedd.V6/schedd.cpp
[3] src/condor_utils/credmon_interface.cpp
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}