File: condor_token_fetch.rst

package info (click to toggle)
condor 23.9.6%2Bdfsg-2.1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 60,012 kB
  • sloc: cpp: 528,272; perl: 87,066; python: 42,650; ansic: 29,558; sh: 11,271; javascript: 3,479; ada: 2,319; java: 619; makefile: 615; xml: 613; awk: 268; yacc: 78; fortran: 54; csh: 24
file content (127 lines) | stat: -rw-r--r-- 5,004 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 


*condor_token_fetch*
======================

obtain a token from a remote daemon for the IDTOKENS authentication method
:index:`condor_token_fetch<single: condor_token_fetch; HTCondor commands>`\ :index:`condor_token_fetch command`

Synopsis
--------

**condor_token_fetch** [**-authz** *authz* ...] [**-lifetime** *value*]
[**-pool** *pool_name*] [**-name** hostname] [**-type** *type*]
[**-token** *filename* | **-file** *filename*] [**-key** *signing_key*]

**condor_token_fetch** [**-help** ]

Description
-----------

*condor_token_fetch* will attempt to fetch an authentication token from a remote
daemon.  If successful, the identity embedded in the token will be the same as client's
identity at the remote daemon.

Authentication tokens are a useful mechanism to limit an identity's authorization or
to establish an alternate authentication method.  For example, an administrator may
utilize *condor_token_fetch* to create a token for a monitoring host that is limited
to only the ``READ`` authorization.  A user may use *condor_token_fetch* while they
are logged in to a submit host then use the resulting token to submit remotely from
their personal laptop.

If the **-lifetime** or (one or more) **-authz** options are specified,
the token will contain additional restrictions that limit what the
client will be authorized to do.

By default, *condor_token_fetch* will query the local *condor_schedd*; by specifying
a combination of **-pool**, **-name**, or **-type**, the tool can request tokens
in other pools, on other hosts, or different daemon types.

If successful, the resulting token will be sent to ``stdout``.
With the **-token** option, the token will instead be written to the user's
token directory (the value may not have any path information).
With the **-file** option, the token will be written to the given file
(the value may be an arbitrary filename).

Options
-------

 **-authz** *authz*
    Adds a restriction to the token so it is only valid to be used for
    a given authorization level (such as ``READ``, ``WRITE``, ``DAEMON``,
    ``ADVERTISE_STARTD``).  If multiple authorizations are needed, then
    **-authz** must be specified multiple times.  If **-authz** is not
    specified, no authorization restrictions are added and authorization
    will be solely based on the token's identity.
    **NOTE** that **-authz** cannot be used to give an identity additional
    permissions at the remote host.  If the server's admin only permits
    the user ``READ`` authorization, then specifying ``-authz WRITE`` in a
    token will not allow the user to perform writes.
 **-debug**
    Causes debugging information to be sent to ``stderr``, based on the
    value of the configuration variable :macro:`TOOL_DEBUG`.
 **-help**
    Display brief usage information and exit.
 **-lifetime** *value*
    Specify the lifetime, in seconds, for the token to be valid (the
    token validity will start when the token is signed).  After the
    lifetime expires, the token cannot be used for authentication.  If
    not specified, the token will contain no lifetime restrictions.
 **-name** *hostname*
    Request a token from the daemon named *hostname* in the pool.  If not specified,
    the locally-running daemons will be used.
 **-pool** *pool_name*
    Request a token from a daemon in a non-default pool *pool_name*.
 **-token** *filename*
    Specifies a filename, relative to the directory in the *SEC_TOKEN_DIRECTORY*
    configuration variable (defaulting to ``~/.condor/tokens.d``), where
    the resulting token is stored.  If not specified, the token will be
    sent to ``stdout``.
 **-type** *type*
    Request a token from a specific daemon type *type*.  If not given, a
    *condor_schedd* is used.
 **-key** *signing_key*
    Request a token signed by the signing key named *signing_key*.  If not
    given, the daemon's default key will be used.

Examples
--------

To obtain a token with a lifetime of 10 minutes from the default *condor_schedd*:

.. code-block:: console

    $ condor_token_fetch -lifetime 600
    eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...ii7lAfCA

To request a token from ``bird.cs.wisc.edu`` which is limited to ``READ`` and
``WRITE``:

.. code-block:: console

    $ condor_token_fetch -name bird.cs.wisc.edu \
                          -authz READ -authz WRITE
    eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...lJTj54

To create a token from the collector in the ``htcondor.cs.wisc.edu`` pool
and then to save it to ``~/.condor/tokens.d/friend``:

.. code-block:: console

    $ condor_token_fetch -identity friend@cs.wisc.edu -lifetime 600 -token friend

Exit Status
-----------

*condor_token_fetch* will exit with a non-zero status value if it
fails to request or read the token.  Otherwise, it will exit 0.

See also
--------

:manpage:`condor_token_create(1)`, :manpage:`condor_token_request(1)`, :manpage:`condor_token_list(1)`

Author
------

Center for High Throughput Computing, University of Wisconsin-Madison