Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
So we're testing with using SciTokens authentication and the condor-credmon-vault components,
and I have a couple of ways I think DAG's could work, but I'm wondering what is the Right Way...
So option 1, using SciTokens authentication for all submissions, means the dagman needs a
credential pushed to it, so that it can use that for authentication to launch the jobs. As far
as I can see, that requires us to run the dagman job in a universe=local slot, rather than a
universe=scheduler, because universe=scheduler doesn't run the condor_start that actually
fetches the credentials. If one does this, one also needs to set BEARER_TOKEN_FILE
in the dagman's environment so it can *find* the credential to authenticate the launches.
Option 2 would be to use FS authentication for the dagman to launch the jobs; then we could
run it in universe=scheduler slots, but It's not clear to me that the jobs it launches always end
up with the right credentials, depending how the mapping to local users is set up.
In any case, one has to set _condor_SEC_CREDENTIAL_STORER=/bin/true in the environment
for the dagman, so that it doesn't try to store credentials for the jobs it is submitting, since
the person who launched the dagman job already did that.
Or perhaps there is a third option I'm unaware of? Did I miss some simpler way to get this working?
Marc Mengel <mengel@xxxxxxxx>
|