logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

condor_token_create - HTCondor Manual

Author

       HTCondor Team

Description

condor_token_create will read an HTCondor password file inside the  SEC_PASSWORD_DIRECTORY  (by  default,
       this is the pool password) and use it to create an authentication token.  The authentication token may be
       subsequently used by clients to authenticate against a remote HTCondor server.  Tokens allow fine-grained
       authentication  as individual HTCondor users as opposed to pool password, where anything in possession of
       the pool password will authenticate as the same user.

       An identity must be specified for the token; this will be the client's resulting identity at  the  remote
       HTCondor  server.  If the -lifetime or (one or more) -authz options are specified, the token will contain
       additional restrictions that limit what the client will be authorized to do.  If an attacker is  able  to
       access the token, they will be able to authenticate with the identity listed in the token (subject to the
       restrictions above).

       If  successful,  the  resulting  token  will  be sent to stdout; by specifying the -token option, it will
       instead be written to the user's token directory.   If  written  to  SEC_TOKEN_SYSTEM_DIRECTORY  (default
       /etc/condor/tokens.d), then the token can be used for daemon-to-daemon authentication.

       condor_token_create is only currently supported on Unix platforms.

Examples

       To create a token for jane@cs.wisc.edu with no additional restrictions:

          $ condor_token_create -identity jane@cs.wisc.edu
          eyJhbGciOiJIUzI1NiIsImtpZCI6Il....bnu3NoO9BGM

       To  create  a  token  for  worker-node@cs.wisc.edu  that  may  advertise  either  a  condor_startd  or  a
       condor_master:

          $ condor_token_create -identity worker-node@cs.wisc.edu \
                                -authz ADVERTISE_STARTD \
                                -authz ADVERTISE_MASTER
          eyJhbGciOiJIUzI1NiIsImtpZC.....8wkstyj_OnM0SHsOdw

       To  create  a  token  for  friend@cs.wisc.edu  that  is only valid for 10 minutes, and then to save it to
       ~/.condor/tokens.d/friend:

          $ condor_token_create -identity friend@cs.wisc.edu -lifetime 600 -token friend

       If the administrator would like to create a specific key for signing tokens, token_key, distinct from the
       default pool password, they would first use condor_store_cred to create the key:

          $ openssl rand -base64 32 | condor_store_cred -f /etc/condor/passwords.d/token_key

       Note, in this case, we created a random 32 character key using SSL instead of providing a  human-friendly
       password.

       Next, the administrator would run run condor_token_create:

          $ condor_token_create -identity frida@cs.wisc.edu -key token_key
          eyJhbGciOiJIUzI1NiIsImtpZCI6I.....eyJpYXQiOUzlN6QA

       If the token_key file is deleted from the SEC_PASSWORD_DIRECTORY, then all of the tokens issued with that
       key will be invalidated.

Exit Status

condor_token_create  will  exit  with a non-zero status value if it fails to read the password file, sign
       the token, write the output, or experiences some other error.  Otherwise, it will exit 0.

Name

       condor_token_create - HTCondor Manual

       given a password file, create an authentication token for the IDTOKENS authentication method

Options

-authzauthz
                 Adds  a restriction to the token so it is only valid to be used for a given authorization level
                 (such as READ, WRITE, DAEMON, ADVERTISE_STARTD).  If multiple authorizations are  needed,  then
                 -authz  must  be  specified  multiple  times.   If  -authz  is  not specified, no authorization
                 restrictions are added and authorization will be solely based on the  token's  identity.   NOTE
                 that  -authz  cannot be used to give an identity additional permissions at the remote host.  If
                 the server's admin only permits the user READ authorization, then specifying -authzWRITE in  a
                 token will not allow the user to perform writes.

          -debug Causes  debugging  information  to  be  sent to stderr, based on the value of the configuration
                 variable TOOL_DEBUG.

          -help  Display brief usage information and exit.

          -identityuser@domain
                 Set a specific client identity to be written into the token; a client will authenticate as this
                 identity with a remote server.

          -keykeyid
                 Specify a key  file  to  use  under  the  directory  specified  by  the  SEC_PASSWORD_DIRECTORY
                 configuration  variable.  The  key name must match a file in the password directory; the file's
                 contents must be created with condor_store_cred and will be used to sign the  resulting  token.
                 If -key is not set, then the default pool password will be used.

          -lifetimevalue
                 Specify the lifetime, in seconds, for the token to be valid (the token validity will start when
                 the token is signed).  After the lifetime expires, the token cannot be used for authentication.
                 If not specified, the token will contain no lifetime restrictions.

          -tokenfilename
                 Specifies  a  filename,  relative  to  the  directory  in the SEC_TOKEN_DIRECTORY configuration
                 variable (for example, on Linux this defaults to ~/.condor/tokens.d), where the resulting token
                 is stored.  If not specified, the token will be sent to stdout.

See Also

condor_store_cred(1), condor_token_fetch(1), condor_token_request(1), condor_token_list(1)

Synopsis

condor_token_create-identityuser@domain  [-keykeyid]  [-authzauthz ...] [-lifetimevalue] [-tokenfilename] [-debug]

       condor_token_create [-help ]

See Also