You should distinguish authorization
vs. credentials for payload use-case.
Missing GSI support in HTCondor 10 (or earlier HTCondor releases
in OSG 3.6) means you must use SCITOKEN for job submission, but
that doesn't prevent you to pass X.509 proxy via standard
x509userproxy job submission parameter. This is what ATLAS [1] use
for production job submission (and most probably "all grid users"
also still rely on X.509 for job payload).
x509* classAd attributes will be available till we fully migrate
to tokens and completely drop X.509 even for job payload. There is
good chance that ATLAS will not drop X.509 till the end of Run3
(2026), in our software (Rucio, FTS, ...) token support is so
basic that it currently makes no sense to use it (safely) in
production, site services (e.g. storage) are not yet ready for
tokens and some storage implementations still don't even pass all
our compliance tests. There may be also changes in the job
submission token content (e.g. currently ATLAS and CMS tokens
doesn't provide same claims).
There were several OSG workshops where OSG/HTCondor team presented
GSI-free HTCondor, but may be it was not sufficiently advertised
to non-OSG sites what exactly dropping Globus support from
HTCondor means. Also OSG promised to come with documentation and
examples how to use tokens "correctly" for job routing, but as far
as I know this still doesn't exists ... most probably not
important topic, because anyway everybody use X.509 proxy for
payload.
Personally I still rely on x509* classAds for job routing even for
jobs submitted with tokens.
Petr
[1]
https://indico.cern.ch/event/1115413/contributions/4708335/attachments/2384202/4074331/Token_S%26C_220203-1.pdf
On 2/17/22 21:50, Stefano Dal Pra wrote:
One more comment:
assuming that you might have a number of places in htcondor (or
external tools) where the existence of a job classad named
X509UserProxyVOName
is required, you could probably just add it yourself with routes
in the condor-ce. For example:
JOB_ROUTER_ROUTE_atlas
@=jrt
ÂREQUIREMENTS AuthTokenIssuer
=?= "https://atlas-auth.web.cern.ch/"
ÂUNIVERSE
VANILLA
Â[...]
ÂSET X509UserProxyVOName
"atlas"
@jrt
And you should see the
X509UserProxyVOName
classad defined in the routed job.
Stefano
Il 17/02/22 18:15, Stefano Dal Pra ha
scritto:
Hello Max,
I performed a few tests in order to understand that, for what
concerns submission to the HTCondor-CE (5.1.x on top of
HTCondor 9.0.x)
An example working configuration for the condorce scitokens
mapfile and jobrouter can be found here:
https://twiki.cern.ch/twiki/bin/view/LCG/HTCondorCEtokenConfigTips
One use case that i would like to address is, for example,
configuration for hierarchical fairshare. I came up with a
potentially working
solution which depends however on one assumption about how the
equivalent of the FQANÂ (i.e. something like to say,
"/voname/groupname")
is reported in the jwt. That solution is also reported in the
above wiki page.
Cheers,
Stefano
Il 17/02/22 17:57, Fischer, Max
(SCC) ha scritto:
Hi all,
in the struggle for switching to WLCG Tokens from GSI we realised that a lot of our infrastructure uses the x509* Job ClassAds such as X509UserProxyVOName. For now these are still there since pilots have a GSI proxy for other tasks anyway, so everything runs smoothly for now.
But itâs not really clear to us how much we can rely on that in the future.
Will HTCondor still be able to provide these job attributes when it drops GSI/GCT in the 10.0 series?
Cheers,
Max
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}