HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users
World
Developers

HTCondor Week
Most Recent
Workshop Archives

HTCSS
What is HTCSS?
Logos

CHTC
Staff ⬏
Jobs ⬏
Research & Publications ⬏

How To Use Idtokens

Work in progress.

Not verified yet.

Enabling IDTOKENS

Is IDTOKENS in the authentication methods list by default?

Is our best practice here to create condor@$(TRUST_DOMAIN) tokens? role@$(TRUST_DOMAIN) tokens? (There's a ticket to make the latter the default for promiscuous mode.)

The key part of the configuration is the ALLOW lists, which may eventually have sane user-based defaults (if we stop shipping a config file with use security: host_based ).

Maybe what we really need is just the "upgrading from host-based to user-based security (with IDTOKENS)" page?

Enabling Promiscuous Mode

Enabling IDTOKENS doesn't mean you automatically start using it; you have distribute tokens first. To make that easier, you can enable "promiscuous mode" by calling condor_token_auto_approve . (See the man page for details.) However, that doesn't work out of the box. Add the following three lines to your configuration.

promiscuous-mode.config

# Enable IDTOKENS' promiscuous mode.
COLLECTOR.SEC_DAEMON_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS) ANONYMOUS
COLLECTOR.DENY_DAEMON = CONDOR_ANONYMOUS_USER*/*

central-manager.config

CONDOR_HOST = <this machine's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : CentralManager

submit.config

CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : submit

# Allow any local user to submit jobs.
ALLOW_WRITE = $(ALLOW_WRITE) *@$(HOSTNAME)

execute.config

CONDOR_HOST = <central manager's external IP address>

use security : strong

ALLOW_ADMINISTRATOR = condor@*
ALLOW_OWNER = condor@*
ALLOW_READ = *
ALLOW_WRITE = condor@*
ALLOW_DAEMON = condor@*
ALLOW_NEGOTIATOR = condor@*

# Enable IDTOKENS (for daemons) and FS (for users).
SEC_DEFAULT_AUTHENTICATION_METHODS = FS, IDTOKENS

use role : execute

CHTC Pool Hits Record Number of Core Hours

LIGO's Search for Gravitational Waves Signals Using HTCondor

The Future of Radio Astronomy Using High Throughput Computing

Using high throughput computing to investigate the role of neural oscillations in visual working memory

Using HTC and HPC Applications to Track the Dispersal of Spruce Budworm Moths

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

Enabling IDTOKENS

Enabling Promiscuous Mode