Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Question about scitoken authZ support
- Date: Wed, 02 Dec 2020 14:40:51 +0000
- From: "Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Question about scitoken authZ support
Hi Diego,
Right now,
- You can map the issuer to a HTCondor identity or the issuer + username to an identity using the mapfile.
- The scopes in the token can limit the authorizations given to the session. I.e., you can limit someone to read-only even if their identity also has administrator privileges.
Posted for review are:
- Including group info into the job ad (allows group-aware routing) https://github.com/htcondor/htcondor/pull/140
- Include directories for mapfiles (allows easier management of the mapfile) https://github.com/htcondor/htcondor/pull/141
- Following the bearer token discovery document (allows you to store tokens in standard places instead of telling HTCondor the filename explicitly) https://github.com/htcondor/htcondor/pull/142
To turn the question a bit - instead of what HTCondor does now, can you tell me what you'd like to accomplish? That might be a better way to get at the best solution if the current features don't meet your needs.
Brian
> On Nov 30, 2020, at 5:42 PM, Diego Ciangottini <diego.ciangottini@xxxxxxxxxx> wrote:
>
> Hi,
>
> I'm trying to use and to understand what is the model of scitoken authZ currently supported by HTCondor, in order to integrate our condor pool with an IAM instance.
> After a first quick run, I managed to map the scitoken endpoint as a user usign the condormapile and everything ran pretty smoothly.
>
> The question now is, can one go deeper in granularity e.g. mapping group claims of the token to a user in condor map file, or, in alternative, using a scope based authZ model? I couldn't find a way to do that.
>
> Thanks in advance,
> Diego
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/