Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] token authorized grid universe submission

Hi Stefano et all,

many thanks for the fast answer.

I just realized I missed to export
  export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS
sorry for the noise.
As for the vanilla universe I would prefer to avoid it as I am not sure if our VOBox users would properly clean up all their upstream staged job files. 

Cheers,
  Thomas

On 21/03/2023 14.12, Stefano Dal Pra wrote:

Hello Thomas:
I set differently the submit file:
[sdalpra@ui-htc CE5]$ cat ce_scitokenv.sub
universe = vanilla
use_scitokens = true
+Owner = undefined
[...]

Then the submit command looks like:
[sdalpra@ui-htc CE5]$ export _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKEN ; condor_submit -pool <ce_fqdn>:9619 -remote <ce_fqdn> submitfile.sub 

Hope this helps
Stefano



On 21/03/23 14:02, Thomas Hartmann wrote:

Hi all,
I am trying to submit grid universe jobs to our CondorCEs authorized by WLCGTokens - however the set up does not seem to be working.
I.e., we have a VOBox with daemons locally collector + negotiator + scheduler + gridmanager/gahp on Condor 9 [1], so that users can submit their grid universe job locally for the daemons to forward them to the CEs. Jobs submitted with a X509 proxy work, so that the submission file and local daemon set up should be in general OK. However when unsetting X509 and only using a token, the submission fails [1] as no proxy file is found. I guess gridmanager/gahp in Condor 9 do not support {Sci,WLCG}Tokens and we have to update the VOBox to 10.0/1, or? 

Cheers,
 Thomas



[1]
condor-9.0.17-1.el7.x86_64
condor-classads-9.0.17-1.el7.x86_64
condor-externals-9.0.17-1.el7.x86_64
condor-procd-9.0.17-1.el7.x86_64
python2-condor-9.0.17-1.el7.x86_64
python3-condor-9.0.17-1.el7.x86_64

[2]
> export BEARER_TOKEN_FILE=/tmp/token_$(id -u)
> condor_submit belle.sub
Submitting job(s)ERROR: unable to read proxy file

[3]
> cat belle.sub
universe = grid
use_x509userproxy = true
X509UserProxy=$ENV(X509_USER_PROXY)
grid_resource = condor grid-htcondorce1.desy.de grid-htcondorce1.desy.de:9619 
# transfer_input_files = ${HOME}/k5-ca-proxy-belle.pem
# environment = "X509_USER_PROXY=${HOME}/k5-ca-proxy-belle.pem"
executable = belle.sh
output = $(Cluster)_$(Process).out
error = $(Cluster)_$(Process).err
log = $(Cluster)_$(Process).logs
ShouldTransferFiles = YES
WhenToTransferOutput = ON_EXIT
+remote_jobuniverse = 5
+remote_requirements = True
+remote_ShouldTransferFiles = "YES"
+remote_WhenToTransferOutput = "ON_EXIT"
queue

[4]
> cat /tmp/token_$(id -u) | cut -d "." -f 2 | base64 -d 2>/dev/null | jq 
{
 "wlcg.ver": "1.0",
 "sub": "1ec796cb-250b-479d-a9e9-6509995adab0",
 "aud": "https://wlcg.cern.ch/jwt/v1/any";,
 "nbf": 1679402025,
 "scope": "openid compute.create offline_access compute.read compute.cancel compute.modify", 
 "iss": "https://wlcg.cloud.cnaf.infn.it/";,
 "exp": 1679403225,
 "iat": 1679402025,
 "jti": "448e3bf4-14e8-4aa7-a5ee-a396e38f83a3",
 "client_id": "5e4d8e45-2fa0-4a56-b646-113c3b0bf9c1"
}

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message tohtcondor-users-request@xxxxxxxxxxx  with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature