Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Setting up a CE so that pilots (or jobs) advertise back to the CE collector with IDTOKENS
- Date: Mon, 24 Oct 2022 19:26:30 +0000
- From: John M Knoeller <johnkn@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Setting up a CE so that pilots (or jobs) advertise back to the CE collector with IDTOKENS
SendIDTokens can reference job attributes, so assuming the token has the same name as the Owner attribute of the job, you can do this
SendIDTokens = Owner
or if you need to map owners to token names, something like this
SendIDTokens = usermap("ownertotokenmap", Owner...)
-tj
> JOB_ROUTER_ROUTE_Fermi @=rt
>
> ... define route...
> # override JOB_ROUTER_SEND_ROUTE_IDTOKENS for this route
> SendIDTokens = "fermilab2"
>
> @rt
-----Original Message-----
From: Marco Mambelli <marcom@xxxxxxxx>
Sent: Monday, October 24, 2022 1:43 PM
To: John M Knoeller <johnkn@xxxxxxxxxxx>
Cc: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Nicholas Peregonow <njp@xxxxxxxx>
Subject: Re: [HTCondor-users] Setting up a CE so that pilots (or jobs) advertise back to the CE collector with IDTOKENS
I'm not that knowledgeable about the job router, I don't know how to define the route.
Is it there a way to specify "any job that would run as user X"?
Or even better, is it there a way to write a generic rule, for each user, as identified by the authentication, add SendIDTokens with the token named as the user (or the same token and change ownership of it).
Thank you,
Marco
> On Oct 24, 2022, at 11:48, John M Knoeller <johnkn@xxxxxxxxxxx> wrote:
>
> You can control the tokens on a per-route basis by adding SendIDTokens to the route definition.
>
> JOB_ROUTER_ROUTE_Fermi @=rt
>
> ... define route...
> # override JOB_ROUTER_SEND_ROUTE_IDTOKENS for this route
> SendIDTokens = "fermilab2"
>
> @rt
>
> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Marco Mambelli via HTCondor-users
> Sent: Sunday, October 23, 2022 12:13 PM
> To: htcondor-users@xxxxxxxxxxx
> Cc: Marco Mambelli <marcom@xxxxxxxx>; Nicholas Peregonow <njp@xxxxxxxx>
> Subject: [HTCondor-users] Setting up a CE so that pilots (or jobs) advertise back to the CE collector with IDTOKENS
>
> I tried to setup a CE so that pilots (or jobs) advertise back to the CE collector with IDTOKENS.
> I followed the instructions in:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__htcondor.readthedocs.io_en_latest_admin-2Dmanual_configuration-2Dmacros.html-23JOB-5FROUTER-5FCREATE-5FIDTOKEN-5F-253CNAME-253E&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=EF06-Wh4L9CNLgD8bnIjNQ&m=VsjqLQChANeHiRh9tklvuUesq4fkZQGEDvL3ecGeLWJe4lxSDlUpNTWr8LxHQKEP&s=eMS7kIFIPdWSUaenfPBgNmJqg4DY3e_LMC12w_Joyjc&e=
> https://urldefense.proofpoint.com/v2/url?u=https-3A__opensciencegrid.atlassian.net_browse_HTCONDOR-2D735&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=EF06-Wh4L9CNLgD8bnIjNQ&m=VsjqLQChANeHiRh9tklvuUesq4fkZQGEDvL3ecGeLWJe4lxSDlUpNTWr8LxHQKEP&s=hQ59ybzPSTdKnT7jkp1XuHLUY0cGy7Rwqa_ztIDAQLw&e=
> https://urldefense.proofpoint.com/v2/url?u=https-3A__opensciencegrid.atlassian.net_browse_HTCONDOR-2D991&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=EF06-Wh4L9CNLgD8bnIjNQ&m=VsjqLQChANeHiRh9tklvuUesq4fkZQGEDvL3ecGeLWJe4lxSDlUpNTWr8LxHQKEP&s=zFKpUuvFLdRJj35KTUlG0FO-3pb6OxdBH45S9KiAcdc&e=
>
> I'm using condor-9.0.17-1.el7.x86_64 and htcondor-ce-5.1.5-1.el7.noarch, the latest ones from the HTCSS production repo.
>
> After some fiddling I was able to get it working creating token directories owned by the user,
> storing there the token and copying only the token of the user submitting the job
>
> JOB_ROUTER_CREATE_IDTOKEN_NAMES = fermilab2
> JOB_ROUTER_IDTOKEN_REFRESH = 200
>
> JOB_ROUTER_CREATE_IDTOKEN_fermilab2 @=end
> sub = "fermilabpilot@xxxxxxxx"
> kid = "POOL"
> lifetime = 900
> scope = "ADVERTISE_STARTD, ADVERTISE_MASTER, READ"
> # this dir is owned by "fermilab" otherwise it fails
> dir = "/etc/condor-ce/gltokens/fermilab"
> filename = "ce_fermilab2.idtoken"
> owner = "fermilab"
> @end
>
> JOB_ROUTER_SEND_ROUTE_IDTOKENS = fermilab2
>
> This works for one user.
> I want all jobs running on the CE to advertise to the monitoring collector.
> If I add multiple tokens to JOB_ROUTER_SEND_ROUTE_IDTOKENS the jobs go on hold because of failed staging.
> Any suggestion on the JOB_ROUTER_ROUTE_whatever to use to identify the user and send its token?
>
> Even better, is it there a way to have a token sent to all users (different ownership once in the job directory)?
> Or to generate automatically one token per user (without having to redefine manually the token for each user) and have it sent?
>
> Thank you,
> Marco
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=EF06-Wh4L9CNLgD8bnIjNQ&m=VsjqLQChANeHiRh9tklvuUesq4fkZQGEDvL3ecGeLWJe4lxSDlUpNTWr8LxHQKEP&s=6X1VPkkOm3VvB9lW0nk4miYsxv6dA-hXhdGDhzRbhaw&e=
>
> The archives can be found at:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=EF06-Wh4L9CNLgD8bnIjNQ&m=VsjqLQChANeHiRh9tklvuUesq4fkZQGEDvL3ecGeLWJe4lxSDlUpNTWr8LxHQKEP&s=_mzph2SzqG4TIRxq52qJ1agj7ord6w5CofvxQRDVgBo&e=