Re: [HTCondor-users] token authorized grid universe submission

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

Sorry but I have to ask again...

directly contacting the CE with condor_ce_ping/trace is working [1] so 
that my general token/client/subject config should be good.

However, I am struggling to enable authorization with tokens through the 
gridmanager for grid universe jobs.

As far as I see, I somehow have to enforce a FS authorization for the 
"local" job but convince the gridmanager(?) to use SCITOKENS for the CE 
submission.

But so far I have not managed to get it running. When I constrain the 
authorization methods to only
  _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS
the fallout to the local Sched is accordingly and it is looking for a 
local mapping for a token subject.
I tried to re-use the working token subject mapping from one of our CEs 
to the local condor, but still the mapping fails (I am, not sure, if a 
non-CE condor is actually able to do so?).

With another combination of auth methods like `SCITOKENS,FS` throws the 
error about the proxy not found

Long story short - is there maybe a way to authenticate against the 
local scheduler with FS or so as method for a grid universe and then 
then get the grid universe job submitted to a CE with SCITOKEN? ð

Cheers,
  Thomas

> condor_ce_ping -debug -verbose -type schedd -name 
grid-htcondorce-dev.desy.de -pool grid-htcondorce-dev.desy.de:9619 WRITE
03/21/23 15:59:16 recognized WRITE as authorization level, using command 
60021.
Destination:                 schedd grid-htcondorce-dev.desy.de
Remote Version:              $CondorVersion: 9.0.15 Jul 20 2022 BuildID: 
597761 PackageID: 9.0.15-1 $
Local  Version:              $CondorVersion: 9.0.17 Sep 29 2022 BuildID: 
607845 PackageID: 9.0.17-1 $
Session ID:                  grid-htcondorce-dev:4087045:1679410756:89
Instruction:                 WRITE
Command:                     60021
Encryption:                  AES
Integrity:                   AES
Authenticated using:         SCITOKENS
All authentication methods:  SCITOKENS
Remote Mapping:              belleprd004@xxxxxxxxxxxxxxxxxx
Authorized:                  TRUE


> condor_submit -debug belle.sub
03/21/23 16:02:05 Result of reading /etc/issue:  \S

03/21/23 16:02:05 Result of reading /etc/redhat-release:  CentOS Linux 
release 7.9.2009 (Core)

03/21/23 16:02:05 Using processor count: 2 processors, 2 CPUs, 0 HTs
03/21/23 16:02:05 Reading condor configuration from 
'/etc/condor/condor_config'
03/21/23 16:02:05 Enumerating interfaces: lo 127.0.0.1 up
03/21/23 16:02:05 Enumerating interfaces: eth0 131.169.223.130 up
03/21/23 16:02:05 Enumerating interfaces: lo ::1 up
03/21/23 16:02:05 Enumerating interfaces: eth0 2001:638:700:10df::1:82 up
03/21/23 16:02:05 Enumerating interfaces: eth0 fe80::11:69ff:fe22:3130 up
Submitting job(s)03/21/23 16:02:05 SharedPortClient: sent connection 
request to schedd at <131.169.223.130:9618> for shared port id 
schedd_1034646_ad22
03/21/23 16:02:05 Looking for token in file /tmp/token_14053
03/21/23 16:02:05 SECMAN: required authentication with schedd at 
<131.169.223.130:9618> failed, so aborting command QMGMT_WRITE_CMD.

ERROR: Failed to connect to local queue manager
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SCITOKENS

[3]
> 03/21/23 16:02:04 (pid:1034694) Evaluated periodic expressions in 
0.000s, scheduling next run in 60s
03/21/23 16:02:05 (pid:1034694) DC_AUTHENTICATE: authentication of 
<131.169.223.130:24758> did not result in a valid mapped user name, 
which is required for this command (1112 QMGMT_WRITE_CMD), so aborting.
03/21/23 16:02:05 (pid:1034694) DC_AUTHENTICATE: reason for 
authentication failure: AUTHENTICATE:1003:Failed to authenticate with 
any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature