Include information about auth token in the job ClassAd


FNAL has requested that we include information about the token used to authenticate the job submission; the envisioned use case is their "JobSub" service which may need to route jobs internally based on the corresponding group information.

The idea is this would be quite analogous to how we record various attributes from the client certificate for GSI authentication.

Looking through the tokens (both IDTOKENS and SCITOKENS), the useful attributes appear to be:

  • Subject

  • Issuer

  • Token ID (maybe)

  • Groups (if present)


Greg Thain
December 21, 2020, 3:35 PM

I’m happy with the changes.

Todd L Miller
December 21, 2020, 6:21 AM

Commit 141fca6334a1595ed7812421c00a451effc5ac08 looks good to me, but assigning back to GregT to move to done if he’s satisfied.

Brian Bockelman
December 21, 2020, 5:23 AM

Oh! For completeness, here’s an example of the new attributes in the job classad for a relatively complex token (includes all the new attributes):

Brian Bockelman
December 21, 2020, 5:19 AM

Oddly enough, I don’t think so. Per this StackOverflow, on Linux, RTLD_DEFAULT defined to be the NULL. So, if dlopen fails, it’s going to search in the current scope … and most likely fail!

Regardless, this isn’t what we’re aiming for. The fact we ‘get lucky’ and avoid a segfault isn’t an excuse to not fix it. It’s easiest to just move these inside the success block for the conditional.

Greg Thain
December 20, 2020, 5:35 PM

I believe if the dlopen fails on or about line 137 of condor_scitokens.cpp then we will segfault on or about line 153 when we call dlsym.


Time remaining



Greg Thain