[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] Passing IDToken to user job for identification to storage resource
- Date: Fri, 2 Dec 2022 13:37:38 +0100
- From: Benoit Roland <benoit.roland@xxxxxxx>
- Subject: [HTCondor-users] Passing IDToken to user job for identification to storage resource
Dear all,
our jobs need to store their output on an storage resource (no
shared file system) which requires IDToken authentication.
The IDToken is retrieved from the provider by the user on the
command line before the job submission.
I read about different options to manage credentials, but I am not
exactly sure about which one is more appropriate for our use case.
The flow is as follows:
1. Before submission, the token is generated on the command line:
oidc-token -f punch-aai
>> idtoken.text
Â
2. We would like to store this token in a secured place defined in
the HTCondor configuration to make it accessible to the job
submitted by the user.
ÂÂÂ So far, for test purpose, the token is part of the "transfer_input_files"
in the submit description file.
3. The transfer of the job output to the storage resource is so far
hardcoded in a python script (included as well in the jdl "transfer_input_files")
doing essentially:
 "curl -L -X PUT -H \"Authorization:
Bearer " + str(TOKEN) + "\"" + " --upload-file " + INPUTFILE + " " + STORAGE_RESOURCE
4. Not yet implemented is the refreshment or renewal of the IDToken
which is limited to a one hour lifetime.
We would like to ask you which approach/option would be more suited
to our use case?
Thanks a lot in advance for your answer and advice!
Cheers,
Benoit