[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ce_trace authz with tokens?



Hello Thomas,

I run my tests with a jwt like this one:

[sdalpra@ui-htc ~]$ jwt.py -v mytoken ÂÂÂÂÂÂ
{
Â"alg": "RS256", Â
Â"kid": "rsa1"
}
{
Â"sub": "9662c0b5-31a1-4478-963e-bdf3783232ed", Â
Â"iss": "https://wlcg.cloud.cnaf.infn.it/", Â
Â"wlcg.groups": [
ÂÂÂ"/wlcg", Â
ÂÂÂ"/wlcg/pilots", Â
ÂÂÂ"/wlcg/xfers"
Â], Â
Â"wlcg.ver": "1.0", Â
Â"jti": "1af5e1a5-c1e6-431f-a7de-d9f2c6cfcb29", Â
Â"exp": 1642177529, Â
Â"iat": 1642173929, Â
Â"client_id": "ad852b22-e517-44a4-99e8-7c0660f878a1", Â
Â"scope": "openid compute.create profile compute.read storage.read:/ compute.modify eduperson_entitlement wlcg storage.create:/ offline_access compute
.cancel eduperson_scoped_affiliation storage.modify:/ email wlcg.groups", Â
Â"nbf": 1642173929, Â
Â"aud": "https://wlcg.cern.ch/jwt/v1/any"
}
exp: Fri Jan 14 17:25:29 2022

I usually set:

export BEARER_TOKEN_FILE=/tmp/bt_u`id -u`
and put the scitoken there (chmod 600).

Then i submit jobs to the CE this way:
[sdalpra@ui-htc ~]$ export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS ; condor_submit -pool ce01t-htc.cr.cnaf.infn.it:9619 -remote ce01t-htc.c
r.cnaf.infn.it ce_scitok308.sub

The submit file looks like:

[sdalpra@ui-htc CE5]$ cat ce_scitok308.sub Â
universe = vanilla
use_scitokens = true
+Owner = undefined
[...]

The mapfile entry to match my user is:

[root@ce01t-htc ~]# grep 9662c0b5-31a1-4478-963e-bdf3783232ed /etc/condor-ce/mapfiles.d/10-scitokens.conf
SCITOKENS /^https:\/\/wlcg\.cloud\.cnaf\.infn\.it\/,9662c0b5-31a1-4478-963e-bdf3783232ed/ dteam001


And I have this entry in the jobrouter; the EVALSET statements are tests of mine in order to set subgroup fairshare based on the wlcg.groups content (currently i have no idea whether this will be actually used not).

JOB_ROUTER_ROUTE_dteam001 @=jrt
ÂREQUIREMENTS (x509UserProxyVoName =?= "dteam") || (AuthTokenSubject =?= "9662c0b5-31a1-4478-963e-bdf3783232ed")
ÂUNIVERSE VANILLA
ÂCOPY AuthTokenGroups MyGroup
ÂEVALSET TokenGroup strcat(Owner,split(MyGroup,",")[1])
ÂEVALSET MyAcctGroup UserMap("AssignAccountingGroup",TokenGroup)
 SET Mytest 100
@jrt


Finally this is the script i use to decode jwt tokens. Hope this helps
Stefano

jwt.py (use at your own risk! :) )

#!/usr/bin/env python

import os, sys, time
import base64
import json

pad = lambda s : s + '='*(len(s)%4)
L = sys.argv[1:]

x = L and L.pop(0) or '-'
verb = x == '-v'
if verb:
ÂÂÂfn = L and L.pop(0) or '-'
else:
ÂÂÂfn = (os.path.isfile(x) and x) or '-'

f = fn == '-' and sys.stdin or open(fn,'r')
ÂÂÂÂ
s = f.read()
H,B,S = s.split('.')
htok = json.loads(base64.urlsafe_b64decode(pad(H)))
btok = json.loads(base64.urlsafe_b64decode(pad(B)))
print(json.dumps(htok, indent = 2))
print(json.dumps(btok, indent = 2))
f.close()
if verb:
ÂÂÂprint('exp: ' + time.ctime(btok.get('exp',0)))



On 31/01/22 13:37, Thomas Hartmann wrote:
Hi all,

is it possible to use a scitoken/wlcg-token to authorize a
`condor_ce_trace/run` debug job (with condor-9.0.8)?

Cheers,
  Thomas



[doc]
https://htcondor.com/htcondor-ce/v5/troubleshooting/debugging-tools/
https://htcondor.com/htcondor-ce/v5/remote-job-submission/
refers only to X509 grid proxies

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/