[HTCondor-users] Token based authentication and draining worker nodes

[Caspart, Renà (SCC) <rene.caspart@xxxxxxx>]

Dear HTCondor experts,

We are currently trying to switch our cluster from using password
authentication to a token based approach. For this we updated to
HTCondor 8.9.11.
In our setup we do not want to have the pool password present on all
nodes, but only the central manager (mainly for security reasons as some
worker nodes will be hosted off site outside of our direct control and
we want to avoid having to use the pool password for them).
We have created a token on the central manager for the respective user
and with the needed capabilities and distributed it to the worker nodes.

After deploying the tokens starting up HTCondor on the worker nodes
works fine and also jobs run fine.
However, we noticed that we are unable to drain the worker nodes from
our central manager as we are unable to authenticate with the worker nodes.

Reading the documentation, this probably is the case as there is no
password present on the worker nodes and hence no (valid) tokens can be
used for authenticating with them.
Now I am a bit lost, since our original assumption was that we do not
need to distribute a (common) password to the worker nodes (which could
then be used to create a token for authenticating with the worker nodes).

Are we missing something obvious here? Is there any recommended way how
to achieve what we intend?

Thanks,
Rene

-- 
Karlsruher Institut fÃr Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Dr. Renà Caspart

Hermann-von-Helmholtz-Platz 1 
76344 Eggenstein-Leopoldshafen, Germany
Telefon: +49 721 608-25631
E-mail: Rene.Caspart@xxxxxxx


Sitz der KÃrperschaft:
KaiserstraÃe 12, 76131 Karlsruhe



KIT â Die ForschungsuniversitÃt in der Helmholtz-Gemeinschaft

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature