Skip to content
This repository was archived by the owner on May 23, 2022. It is now read-only.

Commit b743349

Browse files
matyasselmecimatyasselmeci
committed
Add info on which VOs can use tokens, and how to tell if tokens have been used
1 parent fb72509 commit b743349

File tree

1 file changed

+43
-0
lines changed

1 file changed

+43
-0
lines changed

docs/security/tokens/overview.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
Token Authentication Overview
2+
=============================
3+
4+
5+
6+
How to Tell When Incoming Jobs Are Using Tokens
7+
-----------------------------------------------
8+
9+
The authentication method of a job is recorded in two places: the `AuditLog` files in `/var/log/condor-ce`.
10+
In addition, an incoming (pre-routed) job on a CE will have the following classad attributes:
11+
12+
| AuthTokenId | A UUID of the token |
13+
| AuthTokenIssuer | The URL of the issuer of the token |
14+
| AuthTokenScopes | Any scope restrictions on the token |
15+
| AuthTokenSubject | The 'sub' field of the token |
16+
17+
(A pre-routed job is a job without `RoutedJob=True` in its classad.)
18+
19+
Note: a job may have both a token and an X.509 proxy;
20+
presence of any `x509*` attributes does not indicate the absence of a token.
21+
22+
To see which authentication method was used for a job, look at the `/var/log/condor-ce/AuditLog*` files.
23+
Find a line saying `Submitting new job <JOBID>` (where `<JOBID>` is a job ID like `21249.0`).
24+
The line before that should say what authentication method was used.
25+
Authentication via a token will say `AuthMethod=SCITOKENS`;
26+
authentication via a proxy will say `AuthMethod=GSI`.
27+
28+
29+
VOs Supporting Token Authentication for Pilot Submission
30+
--------------------------------------------------------
31+
32+
These are the VOs that support or partially support using tokens for pilot submission:
33+
34+
| VO Name | Testing Tokens | Using Tokens in Production |
35+
|:--------|----------------|----------------------------|
36+
| ATLAS | Yes | No |
37+
| CMS | Yes | No |
38+
| GLOW | Yes | Yes |
39+
| OSG | Yes | Yes |
40+
41+
Until all of the VOs you support are using tokens in production, your CE has to remain on OSG 3.5,
42+
with the 3.5-upcoming repositories enabled.
43+

0 commit comments

Comments
 (0)