Add SCITOKENS to default auth methods list

Description

Add SCITOKENS to the default authentication methods list. This makes it easier to configure SciTokens support. In particular, it allows a user to use SciTokens authentication for Condor-C jobs without having to modify the config files (which they may not have access to).

This work resulted in a few additional changes:

  • Prune SCITOKENS from auth list if loading of required libraries fails.

  • Don’t abort full authentication process if loading of a method’s required libraries fails.

  • Remember active auth method on callback in non-blocking code. This fixes wrong values in some dprintf() messages and fixes potential problems in the client-side code.

Note that using SciTokens auth with the tools to talk to daemons still requires the SCITOKENS_FILE config param to be set (which can be done via environment variables or the user config file).

Note that the central commit has a typo so it’s not linked to this ticket:

Original ticket description (making scitokens auth work with condor-c) is below:

Without SCITOKENS_FILE specified in the HTCondor configuration, condor_submit will fail to find the remote schedd, even with +SciTokensFile specified in the submit file:

This also appears to affect the Gridmanager, which is more annoying because you can't specify the appropriate config on the command line:

From https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=7471,4

Activity

Show:
Todd Tannenbaum
March 8, 2021, 7:31 PM

CODE REVIEW

Code looks fine, but documentation is poor.

This ticket just adds a single line to the version history… missing is, for example, what order SCITOKENS is tried by default… i.e. before IDTOKENS or after? For that matter, there is not anything at all in the manual on how SciTokens works, or how it requires SSL to be configured first… Given docs for SciTokens is completely missing, I guess I am willing to consider fixing that outside the scope of this ticket and will create a new ticket about it.

Brian Lin
December 1, 2020, 8:39 PM

IIRC from the meeting we’re going to use this ticket just for adding SCITOKENS to the default SEC_CLIENT_AUTHENTICATION_METHODS list

I’ve spun off the multiple SciTokens for a single Gridmanager issue into

Jaime Frey
December 1, 2020, 8:29 PM

Sites can Condor-C jobs with SciTokens to work by adding this to their configuration:

C_GAHP_WORKER_THREAD.SEC_CLIENT_AUTHENTICATION_METHODS = SCITOKENS, \
$(SEC_CLIENT_AUTHENTICATION_METHODS)

They can work around the problem of one user using multiple tokens by launching a separate gridmanager process per token file, like so:

GRIDMANAGER_SELECTION_EXPR = SciTokensFile

Jaime Frey
November 17, 2020, 8:00 PM
Edited

I think I’ve found the problem. While there is code in the gridmanager and c-gahp to set SCITOKENS_FILE in the c-gahp’s config based on a ScitokensFile attribute in the job ad, there is nothing that adds the SCITOKENS authentication method to the SEC_CLIENT_AUTHENTICATION_METHODS parameter. If I do that explicitly in the config file, submission starts working.

Jaime Frey
November 3, 2020, 3:17 AM

There is code in the gridmanager and c-gahp to set SCITOKENS_FILE in the c-gahp’s configuration if ScitokensFile is set in the job ad. It’s buggy if a user’s jobs are using different SciTokens, but in principle it should work if there’s only one token. Not that I’ve tested it myself.

Time remaining

0m

Assignee

Todd Tannenbaum