Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] HTCondor-CE tokens & APEL accounting support
- Date: Fri, 25 Apr 2025 08:22:15 +0200
- From: Petr Vokac <petr.vokac@xxxxxxx>
- Subject: [HTCondor-users] HTCondor-CE tokens & APEL accounting support
Hi,
currently APEL accounting doesn't work for jobs without delegated
proxy submitted to HTCondor-CE with tokens. It seems that general
agreement about accounting for jobs submitted with tokens doesn't
arrive soon and that's why we would like to follow ideas implemented
by ARC-CE 7 [1], [2]:
* extract accounting group from primary wlcg.group (configurable, by
default disabled)
* allow site administrators to map token identity to accounting
group (similar to SCITOKEN unix accounts mapping)
* fallback to x509UserProxyFirstFQAN in case these two methods
doesn't return a group
First item is pretty trivial, because it would be necessary to
change just one line in HTCondor-CE APEL script
https://github.com/htcondor/htcondor-ce/blob/4339994eeba0f5d456b370459d8b49893ce461b2/contrib/apelscripts/condor_batch_blah.py#L167
and replace 'x509UserProxyFirstFQAN' with _expression_ that use first
group from list in AuthTokenGroups, e.g. with something like
'ifThenElse(isUndefined(x509UserProxyFirstFQAN) &&
APEL_ACCOUNTING_BY_WLCG_GROUPS, split(AuthTokenGroups, ",")[0],
x509UserProxyFirstFQAN)'
Second requirement is slightly more tricky, because it would be
necessary to use mapfile (e.g. /etc/condor-ce/apel_acct_group.map)
with following structure
/^https\:\/\/atlas\-auth\.cern\.ch\/,7dee38a3\-6ab8\-4fe2\-9e4c\-58039c21d817$/ /atlas/Role=production
/^https\:\/\/atlas\-auth\.cern\.ch\/,5c5d2a4d\-9177\-3efa\-912f\-1b4e5c9fb660$/ /atlas/Role=lcgadmin
/^https\:\/\/atlas\-auth\.cern\.ch\/,750e9609\-485a\-4ed4\-bf16\-d5cc46c71024$/ /atlas/Role=analysis
/^https\:\/\/cms\-auth\.web\.cern\.ch\/,.*/ /cms
...
(regexps for /AuthTokenIssuer,AuthTokenSubject/ mapped to APEL
accounting group)
Could you help us with an _expression_ replacing
"x509UserProxyFirstFQAN" in `contrib/apelscripts/condor_batch_blah.py:167`
that provides string for APEL accounting based on requirements
mentioned above? Or do you have another idea that could replicate
functionality provided by ARC-CE APEL accounting?
thanks,
Petr
[1] https://indico.cern.ch/event/1541449/?note=326029
[2] https://bugzilla.nordugrid.org/show_bug.cgi?id=4236