Re: [HTCondor-users] condor_ce_trace authz with tokens?

Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

Hello Thomas,

I run my tests with a jwt like this one:

[sdalpra@ui-htc ~]$ jwt.py -v mytoken
{
"alg": "RS256",
"kid": "rsa1"
}
{
"sub": "9662c0b5-31a1-4478-963e-bdf3783232ed",
"iss": "https://wlcg.cloud.cnaf.infn.it/",
"wlcg.groups": [
   "/wlcg",
   "/wlcg/pilots",
   "/wlcg/xfers"
],
"wlcg.ver": "1.0",
"jti": "1af5e1a5-c1e6-431f-a7de-d9f2c6cfcb29",
"exp": 1642177529,
"iat": 1642173929,
"client_id": "ad852b22-e517-44a4-99e8-7c0660f878a1",
"scope": "openid compute.create profile compute.read storage.read:/ compute.modify eduperson_entitlement wlcg storage.create:/ offline_access compute
.cancel eduperson_scoped_affiliation storage.modify:/ email wlcg.groups",
"nbf": 1642173929,
"aud": "https://wlcg.cern.ch/jwt/v1/any"
}
exp: Fri Jan 14 17:25:29 2022

I usually set:
export BEARER_TOKEN_FILE=/tmp/bt_u`id -u`
and put the scitoken there (chmod 600).

Then i submit jobs to the CE this way:
[sdalpra@ui-htc ~]$ export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS ; condor_submit -pool ce01t-htc.cr.cnaf.infn.it:9619 -remote ce01t-htc.c
r.cnaf.infn.it ce_scitok308.sub

The submit file looks like:

[sdalpra@ui-htc CE5]$ cat ce_scitok308.sub
universe = vanilla
use_scitokens = true
+Owner = undefined
[...]

The mapfile entry to match my user is:

[root@ce01t-htc ~]# grep 9662c0b5-31a1-4478-963e-bdf3783232ed /etc/condor-ce/mapfiles.d/10-scitokens.conf
SCITOKENS /^https:\/\/wlcg\.cloud\.cnaf\.infn\.it\/,9662c0b5-31a1-4478-963e-bdf3783232ed/ dteam001

And I have this entry in the jobrouter; the EVALSET statements are tests of mine in order to set subgroup fairshare based on the wlcg.groups content (currently i have no idea whether this will be actually used not).

JOB_ROUTER_ROUTE_dteam001 @=jrt
REQUIREMENTS (x509UserProxyVoName =?= "dteam") || (AuthTokenSubject =?= "9662c0b5-31a1-4478-963e-bdf3783232ed")
UNIVERSE VANILLA
COPY AuthTokenGroups MyGroup
EVALSET TokenGroup strcat(Owner,split(MyGroup,",")[1])
EVALSET MyAcctGroup UserMap("AssignAccountingGroup",TokenGroup)
SET Mytest 100
@jrt

Finally this is the script i use to decode jwt tokens. Hope this helps
Stefano

jwt.py (use at your own risk! :) )

#!/usr/bin/env python

import os, sys, time
import base64
import json

pad = lambda s : s + '='*(len(s)%4)
L = sys.argv[1:]

x = L and L.pop(0) or '-'
verb = x == '-v'
if verb:
   fn = L and L.pop(0) or '-'
else:
   fn = (os.path.isfile(x) and x) or '-'

f = fn == '-' and sys.stdin or open(fn,'r')

s = f.read()
H,B,S = s.split('.')
htok = json.loads(base64.urlsafe_b64decode(pad(H)))
btok = json.loads(base64.urlsafe_b64decode(pad(B)))
print(json.dumps(htok, indent = 2))
print(json.dumps(btok, indent = 2))
f.close()
if verb:
   print('exp: ' + time.ctime(btok.get('exp',0)))

On 31/01/22 13:37, Thomas Hartmann wrote:

Mailing List Archives

Authenticated access

Re: [HTCondor-users] condor_ce_trace authz with tokens?