[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Question about scitoken authZ support

Hi Diego,

Right now,
- You can map the issuer to a HTCondor identity or the issuer + username to an identity using the mapfile.
- The scopes in the token can limit the authorizations given to the session.  I.e., you can limit someone to read-only even if their identity also has administrator privileges.

Posted for review are:
- Including group info into the job ad (allows group-aware routing) https://github.com/htcondor/htcondor/pull/140
- Include directories for mapfiles (allows easier management of the mapfile) https://github.com/htcondor/htcondor/pull/141
- Following the bearer token discovery document (allows you to store tokens in standard places instead of telling HTCondor the filename explicitly) https://github.com/htcondor/htcondor/pull/142

To turn the question a bit - instead of what HTCondor does now, can you tell me what you'd like to accomplish?  That might be a better way to get at the best solution if the current features don't meet your needs.


> On Nov 30, 2020, at 5:42 PM, Diego Ciangottini <diego.ciangottini@xxxxxxxxxx> wrote:
> Hi,
> I'm trying to use and to understand what is the model of scitoken authZ currently supported by HTCondor, in order to integrate our condor pool with an IAM instance.
> After a first quick run, I managed to map the scitoken endpoint as a user usign the condormapile and everything ran pretty smoothly.
> The question now is, can one go deeper in granularity e.g. mapping group claims of the token to a user in condor map file, or, in alternative, using a scope based authZ model? I couldn't find a way to do that.
> Thanks in advance,
> Diego
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/