Re: [HTCondor-users] Question about scitoken authZ support

[Diego Ciangottini <diego.ciangottini@xxxxxxxxxx>]

Hi Brian,

thanks for the overview. I'd say that for now the  issuer + username --> 
identity would be enough, but I could not find how to do that, can you 
point me to some refs?

Also, I'll be interested on routing based on groups, so I think I'll 
keep an eye on the PR you posted.

Diego

Il 12/2/2020 3:40 PM, Bockelman, Brian ha scritto:
> Hi Diego,
>
> Right now,
> - You can map the issuer to a HTCondor identity or the issuer + username to an identity using the mapfile.
> - The scopes in the token can limit the authorizations given to the session.  I.e., you can limit someone to read-only even if their identity also has administrator privileges.
>
> Posted for review are:
> - Including group info into the job ad (allows group-aware routing) https://github.com/htcondor/htcondor/pull/140
> - Include directories for mapfiles (allows easier management of the mapfile) https://github.com/htcondor/htcondor/pull/141
> - Following the bearer token discovery document (allows you to store tokens in standard places instead of telling HTCondor the filename explicitly) https://github.com/htcondor/htcondor/pull/142
>
> To turn the question a bit - instead of what HTCondor does now, can you tell me what you'd like to accomplish?  That might be a better way to get at the best solution if the current features don't meet your needs.
>
> Brian
>
> > On Nov 30, 2020, at 5:42 PM, Diego Ciangottini <diego.ciangottini@xxxxxxxxxx> wrote:
> >
> > Hi,
> >
> > I'm trying to use and to understand what is the model of scitoken authZ currently supported by HTCondor, in order to integrate our condor pool with an IAM instance.
> > After a first quick run, I managed to map the scitoken endpoint as a user usign the condormapile and everything ran pretty smoothly.
> >
> > The question now is, can one go deeper in granularity e.g. mapping group claims of the token to a user in condor map file, or, in alternative, using a scope based authZ model? I couldn't find a way to do that.
> >
> > Thanks in advance,
> > Diego
> >
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/