Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor-CE tokens & APEL accounting support

I donât think we have a solution ready to go for this, but youâre on the right track. Your mapfile would need a first field of â*â for each entry. Then, youâd using the UserMap() ClassAd function (with a couple config knobs to point at the map file) to do the mapping.

You can find an example of configuring a UserMap() mapfile here (ignore the job router-specific bits):

https://htcondor.com/htcondor-ce/v24/configuration/htcondor-routes/

Once thatâs set up, you would use this function call in your _expression_ to do the token-based mapping:

UserMap(âApelGroupMapâ, strcat(AuthTokenIssuer, â,â, AuthTokenSubject))

 - Jaime

On Apr 25, 2025, at 1:22âAM, Petr Vokac via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

Hi,

currently APEL accounting doesn't work for jobs without delegated proxy submitted to HTCondor-CE with tokens. It seems that general agreement about accounting for jobs submitted with tokens doesn't arrive soon and that's why we would like to follow ideas implemented by ARC-CE 7 [1], [2]:

* extract accounting group from primary wlcg.group (configurable, by default disabled)
* allow site administrators to map token identity to accounting group (similar to SCITOKEN unix accounts mapping)
* fallback to x509UserProxyFirstFQAN in case these two methods doesn't return a group

First item is pretty trivial, because it would be necessary to change just one line in HTCondor-CE APEL script

https://github.com/htcondor/htcondor-ce/blob/4339994eeba0f5d456b370459d8b49893ce461b2/contrib/apelscripts/condor_batch_blah.py#L167

and replace 'x509UserProxyFirstFQAN' with _expression_ that use first group from list in AuthTokenGroups, e.g. with something like 'ifThenElse(isUndefined(x509UserProxyFirstFQAN) && APEL_ACCOUNTING_BY_WLCG_GROUPS, split(AuthTokenGroups, ",")[0], x509UserProxyFirstFQAN)'

Second requirement is slightly more tricky, because it would be necessary to use mapfile (e.g. /etc/condor-ce/apel_acct_group.map) with following structure
/^https\:\/\/atlas\-auth\.cern\.ch\/,7dee38a3\-6ab8\-4fe2\-9e4c\-58039c21d817$/ /atlas/Role=production
/^https\:\/\/atlas\-auth\.cern\.ch\/,5c5d2a4d\-9177\-3efa\-912f\-1b4e5c9fb660$/ /atlas/Role=lcgadmin
/^https\:\/\/atlas\-auth\.cern\.ch\/,750e9609\-485a\-4ed4\-bf16\-d5cc46c71024$/ /atlas/Role=analysis
/^https\:\/\/cms\-auth\.web\.cern\.ch\/,.*/ /cms
...
(regexps for /AuthTokenIssuer,AuthTokenSubject/ mapped to APEL accounting group)

Could you help us with an _expression_ replacing "x509UserProxyFirstFQAN" in `contrib/apelscripts/condor_batch_blah.py:167` that provides string for APEL accounting based on requirements mentioned above? Or do you have another idea that could replicate functionality provided by ARC-CE APEL accounting?

thanks,

Petr

[1] https://indico.cern.ch/event/1541449/?note=326029
[2] https://bugzilla.nordugrid.org/show_bug.cgi?id=4236
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!OUJwYjiGUMLcw4bSQ41kYFczbiexOltm7T44SBtjlM5I1zvD6NQrxzZXvp1qkisHiYv69q2Uk-9vJtHzr_fxnIumrzmU2A$

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/