Re: [HTCondor-users] output file transfer using oauth token

Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

Send HTCondor-users mailing list submissions to
        htcondor-users@xxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=u6EHZT5zVDCcpyLbnSSWNMrEQX1TiNNETSWQOx7AGiw&e=
or, via email, send a message with subject or body 'help' to
        htcondor-users-request@xxxxxxxxxxx

You can reach the person managing the list at
        htcondor-users-owner@xxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of HTCondor-users digest..."

Today's Topics:

   1. Re: output file transfer using oauth token (Dave Dykstra)
   2. Re: output file transfer using oauth token (Kevin Retzke)

----------------------------------------------------------------------

Message: 1
Date: Thu, 27 Oct 2022 21:04:08 +0000
From: Dave Dykstra <dwd@xxxxxxxx>
To: "htcondor-users@xxxxxxxxxxx" <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] output file transfer using oauth token
Message-ID: <Y1ryR6rh1ySC9PPE@xxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Re-sending now that I'm subscribed.

On Thu, Oct 27, 2022 at 03:52:55PM -0500, Dave Dykstra wrote:
> That looks like a bug to me. I think there were other things in Condor
> that were using that format at one point but it's unusable for WLCG
> Bearer Token Discovery so I think it was changed or was going to be
> changed.
>
> Dave
>
> On Thu, Oct 27, 2022 at 08:14:05PM +0000, Kevin Retzke wrote:
> > I'm trying to have a job upload output to dcache over https, authenticating with a scitoken. In my submit file I have:
> >
> > use_oauth_services = dune
> > output_destination = dune+https://example.com/foo/bar
> >
> > Condor does send the token at $_CONDOR_CREDS/dune.use, but this file only contains the encoded token itself, which we expect in order to use the token in the job. However, uploading output fails with "Unable to parse token as JSON", since the file transfer plugin expects the dune.use file to be JSON with the token under the "access_token" field. https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_htcondor_htcondor_blob_main_src_condor-5Ffiletransfer-5Fplugins_multifile-5Fcurl-5Fplugin.cpp-23L131&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=Bv4hvEqYW-Nw0N4m6NUZ6FOlMfpux5G35hd4WKYKdQE&e=
> >
> > Is this a bug in the file transfer plugin, or can I just not use the oauth token like that? The documentation suggests it should work in https://urldefense.proofpoint.com/v2/url?u=https-3A__htcondor.readthedocs.io_en_latest_users-2Dmanual_file-2Dtransfer.html-23file-2Dtransfer-2Dusing-2Da-2Durl&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=hF_ePjKwys6lNhv-1AwHsqNRyNEPoFRhHTWBA6mSBtQ&e=
> >
> > condor 9.0.16 on the schedd
> >
> > Thanks,
> > Kevin

------------------------------

Message: 2
Date: Thu, 27 Oct 2022 21:34:07 +0000
From: Kevin Retzke <kretzke@xxxxxxxx>
To: Todd Tannenbaum <tannenba@xxxxxxxxxxx>,     Kevin Retzke via
        HTCondor-users <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] output file transfer using oauth token
Message-ID:
        <SA1PR09MB880086FB500D975AAD4C6A52D3339@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="us-ascii"

Hi Todd,
Thanks for the fast response. We're using the Vault credmon. If this isn't something affecting others we could look at writing our own file transfer plugin (and very well may have to anyways when all is said and done).

Thanks,
Kevin
________________________________
From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Sent: Thursday, October 27, 2022 5:00 PM
To: Kevin Retzke via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Cc: Dave Dykstra <dwd@xxxxxxxx>; Kevin Retzke <kretzke@xxxxxxxx>
Subject: Re: [HTCondor-users] output file transfer using oauth token

On 10/27/2022 3:14 PM, Kevin Retzke via HTCondor-users wrote:
I'm trying to have a job upload output to dcache over https, authenticating with a scitoken. In my submit file I have:

use_oauth_services = dune
output_destination = dune+https://example.com/foo/bar

Condor does send the token at $_CONDOR_CREDS/dune.use, but this file only contains the encoded token itself, which we expect in order to use the token in the job. However, uploading output fails with "Unable to parse token as JSON", since the file transfer plugin expects the dune.use file to be JSON with the token under the "access_token" field. https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_htcondor_htcondor_blob_main_src_condor-5Ffiletransfer-5Fplugins_multifile-5Fcurl-5Fplugin.cpp-23L131&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=Bv4hvEqYW-Nw0N4m6NUZ6FOlMfpux5G35hd4WKYKdQE&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_htcondor_htcondor_blob_main_src_condor-5Ffiletransfer-5Fplugins_multifile-5Fcurl-5Fplugin.cpp-23L131&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=SLzPmtachqBnruNeiSM1YJabrgzOgLT8XglEfXks-UI&m=aeVmgsVfyEjt4EbX2tTHgYnJUmUlzVwHp2RIzEaoAhaxGWPDDKg6JHXYAmuV7NUI&s=BmBXMI5z9jgfjRjrVfr8p585EzcnlcMjCQ7pNbE4LSk&e=>

Is this a bug in the file transfer plugin, or can I just not use the oauth token like that? The documentation suggests it should work in https://urldefense.proofpoint.com/v2/url?u=https-3A__htcondor.readthedocs.io_en_latest_users-2Dmanual_file-2Dtransfer.html-23file-2Dtransfer-2Dusing-2Da-2Durl&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=hF_ePjKwys6lNhv-1AwHsqNRyNEPoFRhHTWBA6mSBtQ&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__htcondor.readthedocs.io_en_latest_users-2Dmanual_file-2Dtransfer.html-23file-2Dtransfer-2Dusing-2Da-2Durl&d=DwMDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=SLzPmtachqBnruNeiSM1YJabrgzOgLT8XglEfXks-UI&m=aeVmgsVfyEjt4EbX2tTHgYnJUmUlzVwHp2RIzEaoAhaxGWPDDKg6JHXYAmuV7NUI&s=Q34iUOs2MFsbpRBi-Gb0l5WODesg9qelJ5d_tNur-Qw&e=>

condor 9.0.16 on the schedd

Thanks,
Kevin

Hi Kevin,

Thank you for the detailed report and your nice (source code) investigative work above!

Question: what issued you the scitoken? was it Vault? a local issuer? or?

Initial thinking here the .use file, if created by the oauth2 credmon, is JSON.   But if it is the Vault credmon instead, then... looks like it is raw.    Just want to confirm what you are using before we decide how to go about fixing it.

Thanks
Todd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=https-3A__www-2Dauth.cs.wisc.edu_lists_htcondor-2Dusers_attachments_20221027_4ebe11ce_attachment.html&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=Hr3eVD7oCDYN6KhcWsOMdw-mg34fln9cWkCVdXrwwvY&e= >

------------------------------

Subject: Digest Footer

_______________________________________________
HTCondor-users mailing list
HTCondor-users@xxxxxxxxxxx
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=mA4qFs7Hfq-joWhWXnsXfA&m=J-cETwlyGAMKCe-1EGeRi_3AuH6AZkEUY-eXIRv5wEr2i5_mIqXdIyh7GFt8AxS1&s=u6EHZT5zVDCcpyLbnSSWNMrEQX1TiNNETSWQOx7AGiw&e=

------------------------------

End of HTCondor-users Digest, Vol 107, Issue 23
***********************************************

Mailing List Archives

Authenticated access

Re: [HTCondor-users] output file transfer using oauth token