Skip to content
This repository was archived by the owner on May 23, 2022. It is now read-only.

Commit 4479a26

Browse files
matyasselmecimatyasselmeci
committed
Add some information about using tokens with a CE or with XRootD
1 parent 21b64c2 commit 4479a26

File tree

1 file changed

+39
-0
lines changed

1 file changed

+39
-0
lines changed

docs/security/tokens/overview.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,45 @@ For example, the following groups and roles have been used by the ATLAS and CMS
130130
```
131131

132132

133+
Using Bearer Tokens with HTCondor-CE
134+
------------------------------------
135+
136+
In order to support Token AAI, your CE must be based on OSG 3.6 or OSG 3.5-upcoming.
137+
You will need HTCondor 9.0.0 or newer, and `SCITOKENS` must be enabled as an auth method (this is the default).
138+
139+
You must have a mapfile which provides mappings from bearer tokens to Unix usernames,
140+
based on the token's issuer and, optionally, subject.
141+
The OSG distributes the `osg-scitokens-mapfile` RPM package that includes default mappings for use by OSG CEs.
142+
143+
Token mapfile lines look like:
144+
```
145+
SCITOKENS /^https\:\/\/scitokens\.org\/ligo,/ ligo
146+
SCITOKENS /^https\:\/\/cilogon\.org\/gm2,gm2pilot\@fnal\.gov$/ gm2pilot
147+
```
148+
These are regular expressions; the first matches a token with the issuer `https://scitokens.org/ligo`
149+
and any subject, and maps it to the `ligo` user.
150+
Note the trailing `,` in the regular expression: this separates the issuer from the subject.
151+
152+
The second example matches the issuer `https://cilogon.org/gm2` _and_ the subject `[email protected]`,
153+
and maps it to the `gm2pilot` user.
154+
155+
A `SCITOKENS` mapfile line supports WLCG tokens as well.
156+
Note that mapping can only be done on issuer and subject, _not_ `wlcg.groups`.
157+
158+
See the [configuring authentication documentation for HTCondor-CE]
159+
(https://opensciencegrid.org/docs/compute-element/install-htcondor-ce/#configuring-authentication)
160+
for further information.
161+
162+
163+
Using Bearer Tokens with XRootD
164+
-------------------------------
165+
166+
In order to support Token AAI, your XRootD installation must be based on OSG 3.6 or OSG 3.5-upcoming.
167+
You will need XRootD 5.0.2 or newer, with the `xrootd-scitokens` plugin.
168+
Follow the [configuring XRootD authorization documentation](https://opensciencegrid.org/docs/data/xrootd/xrootd-authorization)
169+
for information on how to configure XRootD to accept bearer tokens.
170+
171+
133172
Validating Tokens in Pilot Jobs
134173
-------------------------------
135174

0 commit comments

Comments
 (0)