[HTCondor-users] Simulating HTCondor's delegation of a proxy (fwd)

[Steven Timm <timm@xxxxxxxx>]

I am trying to debug a situation where the condor pool
is running with GSI authentication, and DELEGATE_JOB_GSI_CREDENTIALS
is at its default value of TRUE.

At submission each user typically has x.509 proxy (legacy format) with a DN 
like:

/DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=gpsn01.fnal.gov/CN=cron/CN=Steven C. 
Timm/CN=UID:timm/CN=proxy

At execution condor does a second delegation such that we are then dealing with

/DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=gpsn01.fnal.gov/CN=cron/CN=Steven C. 
Timm/CN=UID:timm/CN=proxy/CN=proxy

and it is this double-delegated proxy which is failing to authenticate
with the resource.

My question.. is there any way to delegate the proxy using the same method
 that condor does so as to reliably reproduce such a proxy without having
to steal it off of a worker node from a running job every time?

Steve Timm



------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Scientific Computing Division, Scientific Computing Services Quad.
Grid and Cloud Services Dept., Group leader of Grid and Cloud Services 
Operations.  Lead of FermiCloud Project.