Re: [HTCondor-users] Condor and tokens

[Petr Vokac <petr.vokac@xxxxxxx>]

I did not find related topic in ARC-CE mailing list, so replying here

it seems to me that ARC-CE stores information about client in the job.JOBID.local file and the easiest way to get these details in the job classAd is to create new ARC-CE RTE that extracts "subject"

[root@xxxxxxxxxxxxxxxxxxxxx ~]# cat /usr/share/arc/rte/ENV/SUBJECT <<EOF
# description: extract subject from local parameters and make it available via joboptions

if [ "x$1" = "x0" ]; then
    localfile=${joboption_controldir}/job.${joboption_gridid}.local
    joboption_subject=`grep subject= $localfile | sed 's/[^=]*=//'`
fi
EOF

and then patch condor with

[root@xxxxxxxxxxxxxxxxxxxxx ~]# diff -u /usr/share/arc/submit-condor-job.orig /usr/share/arc/submit-condor-job 
--- /usr/share/arc/submit-condor-job.orig	2024-08-01 17:10:24.490303826 +0200
+++ /usr/share/arc/submit-condor-job	2024-08-01 16:53:22.416243174 +0200
@@ -91,6 +91,11 @@
 echo "Output = $condor_stdout">> $LRMS_JOB_DESCRIPT
 echo "Error = $condor_stderr">> $LRMS_JOB_DESCRIPT
 
+# subject
+if [ ! -z "${joboption_subject}" ] ; then
+    echo "+NordugridSubject = \"$joboption_subject\"" >> $LRMS_JOB_DESCRIPT
+fi
+
 # queue
 if [ ! -z "${joboption_queue}" ] ; then
     echo "+NordugridQueue = \"$joboption_queue\"" >> $LRMS_JOB_DESCRIPT

After these updates I get in our job classAds something like

[root@xxxxxxxxxxxxxxxxxxxxx ~]# condor_q -allusers -af ClusterId Owner NordugridQueue NordugridSubject | tail -n 3
164430 atlasprd001 grid /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=atlpilo1/CN=614260/CN=Robot: ATLAS Pilot1
164431 atlasprd001 grid /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=atlpilo1/CN=614260/CN=Robot: ATLAS Pilot1
164432 atlasprd001 grid https://atlas-auth.web.cern.ch//7dee38a3-6ab8-4fe2-9e4c-58039c21d817

Last job was submitted with ATLAS WLCG JWT token.



ARC-CE configured with HTCondor local batch simply create JDL file that might look like

# HTCondor job description built by arex
Executable = condorjob.sh
Input = /dev/null
Log = /var/spool/arc/session/EVpLDmpemt5nnoBGSqYX2MjntwGI2oABFKDmc2aVDmZgVKDmMkuySn/log
Output = /var/spool/arc/session/EVpLDmpemt5nnoBGSqYX2MjntwGI2oABFKDmc2aVDmZgVKDmMkuySn.comment
Error = /var/spool/arc/session/EVpLDmpemt5nnoBGSqYX2MjntwGI2oABFKDmc2aVDmZgVKDmMkuySn.comment
+NordugridSubject = "https://atlas-auth.web.cern.ch//7dee38a3-6ab8-4fe2-9e4c-58039c21d817"
+NordugridQueue = "grid"
Description = ARC_CE_test
Universe = vanilla
Notification = Never
Requirements = (NumJobStarts == 0) && ( ((Arch == "x86_64") && (Opsys =?= "LINUX")) )
Priority = 0
x509userproxy = /var/spool/arc/session/EVpLDmpemt5nnoBGSqYX2MjntwGI2oABFKDmc2aVDmZgVKDmMkuySn/user.proxy
request_cpus = 1
request_memory=2048
+JobMemoryLimit = 2097152
should_transfer_files = YES
When_to_transfer_output = ON_EXIT_OR_EVICT
Transfer_input_files = /var/spool/arc/session/EVpLDmpemt5nnoBGSqYX2MjntwGI2oABFKDmc2aVDmZgVKDmMkuySn
Periodic_remove = (JobStatus == 1 && NumJobStarts > 0) || ((ResidentSetSize isnt undefined ? ResidentSetSize : 0) > JobMemoryLimit)
Queue

Petr

On 7/15/24 16:19, Thomas Birkett - STFC UKRI via HTCondor-users wrote:

Hi Brian,

 

Thank you! That makes perfect sense, I will get in touch with the ARC community and see if I can piece the puzzle together.

 

Many thanks again,

 

Tom

 

From: Bockelman, Brian <BBockelman@xxxxxxxxxxxxx>
Date: Monday, 15 July 2024 at 13:58
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: condor-users@xxxxxxxxxxx <condor-users@xxxxxxxxxxx>, Birkett, Thomas (STFC,RAL,SC) <thomas.birkett@xxxxxxxxxx>
Subject: Re: [HTCondor-users] Condor and tokens

Hi Thomas,

 

It's a good question!  I don't think it's well-trodden ground...

 

Those attributes are populated from the security session used to submit the job.  Unlike VOMS, there's no way to turn them on/off -- it's always on.

 

How does the ARC CE interact with HTCondor?  If it uses the same token itself is given, then you'll get these attributes.  If it does something else (like runs condor_submit as the target user), it probably uses the "FS" authentication and does not actually submit to HTCondor using the token (and hence no attributes).

 

So -- this might be more of an ARC question in the end.

 

Brian

On Jul 15, 2024, at 4:33âAM, Thomas Birkett - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

 

Hi all,

 

I realise this question may have been asked a million times before so apologies in advance if Iâm walking heavily trodden ground! Iâm currently looking at testing tokens for CMS and ATLAS. Our estate uses Nordugrid ARC-CE 6.20.1 and HTCondor 10.0.9. 

 

Iâm struggling to figure out how the `AuthToken` ClassAds are enabled, ClassAdâs such as `AuthTokenGroups` and `AuthTokenIssuer`. We currently using routing rules for our x509 jobs (using the classad `x509UserProxyVOName`) which required the config `USE_VOMS_ATTRIBUTES = True` and we wish to use the same logic for jobs submitted with tokens. Looking through the HTCondor manuals, using the `AuthToken` ClassAdâs will do a similar mapping logic for our routing. Any help would be gratefully received.

 

Many thanks,

 

Thomas Birkett

Senior Systems Administrator

Scientific Computing Department  

Science and Technology Facilities Council (STFC)

Rutherford Appleton Laboratory, Chilton, Didcot 
OX11 0QX

 

<image001.png>

 

 

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

 

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/