File: condor_store_cred.rst

package info (click to toggle)
condor 23.9.6%2Bdfsg-2.1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 60,012 kB
  • sloc: cpp: 528,272; perl: 87,066; python: 42,650; ansic: 29,558; sh: 11,271; javascript: 3,479; ada: 2,319; java: 619; makefile: 615; xml: 613; awk: 268; yacc: 78; fortran: 54; csh: 24
file content (129 lines) | stat: -rw-r--r-- 4,573 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
      

*condor_store_cred*
=====================

securely stash a credential
:index:`condor_store_cred<single: condor_store_cred; HTCondor commands>`\ :index:`condor_store_cred command`

Synopsis
--------

**condor_store_cred** **-h**

**condor_store_cred** action [ *options* ]

Description
-----------

*condor_store_cred* stores credentials in a secure manner.  There are
three actions, each of which can optionally be followed by a hyphen and
one of three types.

The actions are:

 **add[-type]**
    Add credential to secure storage
 **delete[-type]**
    Remove credential from secure storage
 **query[-type]**
    Check if a credential has been stored

The types are:

 **-pwd**
    Credential is a password (default)
 **-krb**
    Credential is a Kerberos/AFS token
 **-oauth**
    Credential is Scitoken or Oauth2 token

Credentials are stashed in a persistent manner; they are maintained
across system reboots.  When adding a credential, if there is already a
credential stashed, the old credential will be overwritten by the new
one.

There are two separate uses of the password actions of 
*condor_store_cred*:

#. A shared pool password is needed in order to implement the
   ``PASSWORD`` authentication method. *condor_store_cred* using the
   **-c** option deals with the password for the implied
   condor_pool@$(UID_DOMAIN) user name.

   On a Unix machine, *condor_store_cred add[-pwd]* with the **-f** option
   is used to set the pool password, as needed when used with the
   ``PASSWORD`` authentication method. The pool password is placed in a
   file specified by the :macro:`SEC_PASSWORD_FILE` configuration variable.

#. In order to submit a job from a Windows platform machine, or to
   execute a job on a Windows platform machine utilizing the
   :subcom:`run_as_owner[and condor_store_cred]`
   functionality, *condor_store_cred add[-pwd]* stores the password of a
   user/domain pair securely in the Windows registry. Using this stored
   password, HTCondor may act on behalf of the submitting user to access
   files, such as writing output or log files. HTCondor is able to run
   jobs with the user ID of the submitting user. The password is stored
   in the same manner as the system does when setting or changing
   account passwords.

Unless the *-p* argument is used with the *add* or *add-pwd* action, the
user is prompted to enter the password twice for confirmation, and
characters are not echoed. 

The *add-krb* and *add-oauth* actions must be used with the *-i* argument
to specify a filename to read from.

The *-oauth* actions require a *-s* service name argument.  The *-S*
and *-A* options may be used with *add-oauth* to add scopes and/or
audience to the credentials or with *query-oauth* to make sure that
the scopes or audience match the previously stored credentials.  If
either *-S* or *-A* are used then the credentials must be in JSON
format.

Options
-------

 **-h**
    Displays a brief summary of command options.
 **-c**
    *[-pwd]* actions refer to the pool password, as used in the ``PASSWORD``
    authentication method.
 **-f** *filename*
    For Unix machines only, generates a pool password file named
    *filename* that may be used with the ``PASSWORD`` authentication
    method.
 **-i** *filename*
    Read credential from *filename*.  If *filename* is *-*, read from
    stdin.  Required for *add-krb* and *add-oauth*.
 **-s** *service*
    The Oauth2 service.  Required for all *-oauth* actions.
 **-H** *handle*
    Specify a handle for the given OAuth2 service.
 **-S** *scopes*
    Optional comma-separated list of scopes to request for *add-oauth*
    action.  If used with the *query-oauth* action, makes sure that
    the same scopes were requested in the original credential.
    Requires credentials to be in JSON format.
 **-A** *audience*
    Optional audience to request for *add-oauth*
    action.  If used with the *query-oauth* action, makes sure that
    the same audience was requested in the original credential.
    Requires credentials to be in JSON format.
 **-n** *machinename*
    Apply the command on the given machine.
 **-p** *password*
    Stores *password*, rather than prompting the user to enter a
    password.
 **-u** *username*
    Specify the user name.

Exit Status
-----------

*condor_store_cred* will exit with a status value of 0 (zero) upon
success.  If the *query-oauth* action finds a credential but the
scopes or audience don't match, *condor_store_cred* will exit
with a status value 2 (two).  Otherwise, it will exit with the value 1
(one) upon failure.