[HTCondor-users] IDTOKENS and cli

[Michael Thomas <wart@xxxxxxxxxxx>]

I'm still flailing about trying to get idtokens working on a new 9.0.12 
schedd in my cluster.

I was finally able to get the schedd talking to the collector by issuing 
a new token with condor_token_create (and a long list of permissions), 
then signing it on the CM:

condor_token_create -identity schedd@xxxxxxxxxxxxxxxxxxxxxxxx -authz 
DAEMON -authz UPDATE_SCHEDD_AD -authz READ -authz WRITE -authz 
QUERY_STARTD_ADS -authz UPDATE_AD_GENERIC -authz ADMINISTRATOR

However, I'm unable to get some CLI commands to work.  Notably, the 
'condor_status' command, when run as root, returns:

# condor_status
Error: communication error
SECMAN:2010:Received "DENIED" from server for user 
condor@xxxxxxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

The collector reports the following error:

04/25/22 16:41:03 DC_AUTHENTICATE: message authenticator enabled with 
key id ldas-condor:2734:1650922863:33339.
04/25/22 16:41:03 DC_AUTHENTICATE: Success.
04/25/22 16:41:03 DC_AUTHENTICATE: authentication of <10.13.5.58:20190> 
was successful but resulted in a limited authorization which did not 
include this command (5 QUERY_STARTD_ADS), so aborting.

...which seems odd considering that I explicitly included 
QUERY_STARTD_ADS in the token request above.


As a user, it won't even authenticate:

$ condor_status
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
AUTHENTICATE:1004:Failed to authenticate using FS

Any suggestions on where to look next?

--Mike