1CONDOR_TOKEN_CREATE(1) HTCondor Manual CONDOR_TOKEN_CREATE(1)
2
6 condor_token_create - HTCondor Manual
7 given a password file, create an authentication token for the IDTOKENS
9 authentication method
10
13 condor_token_create -identity user@domain [-key keyid] [-authz authz
14 ...] [-lifetime value] [-token filename] [-debug]
15 condor_token_create [-help ]
17
19 condor_token_create will read an HTCondor password file inside the
20 SEC_PASSWORD_DIRECTORY (by default, this is the pool password) and use
21 it to create an authentication token. The authentication token may be
22 subsequently used by clients to authenticate against a remote HTCondor
23 server. Tokens allow fine-grained authentication as individual HTCon‐
24 dor users as opposed to pool password, where anything in possession of
25 the pool password will authenticate as the same user.
26 An identity must be specified for the token; this will be the client's
28 resulting identity at the remote HTCondor server. If the -lifetime or
29 (one or more) -authz options are specified, the token will contain ad‐
30 ditional restrictions that limit what the client will be authorized to
31 do. If an attacker is able to access the token, they will be able to
32 authenticate with the identity listed in the token (subject to the re‐
33 strictions above).
34 If successful, the resulting token will be sent to stdout; by specify‐
36 ing the -token option, it will instead be written to the user's token
37 directory. If written to SEC_TOKEN_SYSTEM_DIRECTORY (default /etc/con‐
38 dor/tokens.d), then the token can be used for daemon-to-daemon authen‐
39 tication.
40 condor_token_create is only currently supported on Unix platforms.
42
44 -authz authz
45 Adds a restriction to the token so it is only valid to be
46 used for a given authorization level (such as READ, WRITE,
47 DAEMON, ADVERTISE_STARTD). If multiple authorizations are
48 needed, then -authz must be specified multiple times. If
49 -authz is not specified, no authorization restrictions are
50 added and authorization will be solely based on the token's
51 identity. NOTE that -authz cannot be used to give an iden‐
52 tity additional permissions at the remote host. If the
53 server's admin only permits the user READ authorization, then
54 specifying -authz WRITE in a token will not allow the user to
55 perform writes.
56 -debug Causes debugging information to be sent to stderr, based on
58 the value of the configuration variable TOOL_DEBUG.
59 -help Display brief usage information and exit.
61 -identity user@domain
63 Set a specific client identity to be written into the token;
64 a client will authenticate as this identity with a remote
65 server.
66 -key keyid
68 Specify a key file to use under the directory specified by
69 the SEC_PASSWORD_DIRECTORY configuration variable. The key
70 name must match a file in the password directory; the file's
71 contents must be created with condor_store_cred and will be
72 used to sign the resulting token. If -key is not set, then
73 the default pool password will be used.
74 -lifetime value
76 Specify the lifetime, in seconds, for the token to be valid
77 (the token validity will start when the token is signed).
78 After the lifetime expires, the token cannot be used for au‐
79 thentication. If not specified, the token will contain no
80 lifetime restrictions.
81 -token filename
83 Specifies a filename, relative to the directory in the
84 SEC_TOKEN_DIRECTORY configuration variable (for example, on
85 Linux this defaults to ~/.condor/tokens.d), where the result‐
86 ing token is stored. If not specified, the token will be
87 sent to stdout.
88
90 To create a token for jane@cs.wisc.edu with no additional restrictions:
91 $ condor_token_create -identity jane@cs.wisc.edu
93 eyJhbGciOiJIUzI1NiIsImtpZCI6Il....bnu3NoO9BGM
94 To create a token for worker-node@cs.wisc.edu that may advertise either
96 a condor_startd or a condor_master:
97 $ condor_token_create -identity worker-node@cs.wisc.edu \
99 -authz ADVERTISE_STARTD \
100 -authz ADVERTISE_MASTER
101 eyJhbGciOiJIUzI1NiIsImtpZC.....8wkstyj_OnM0SHsOdw
102 To create a token for friend@cs.wisc.edu that is only valid for 10 min‐
104 utes, and then to save it to ~/.condor/tokens.d/friend:
105 $ condor_token_create -identity friend@cs.wisc.edu -lifetime 600 -token friend
107 If the administrator would like to create a specific key for signing
109 tokens, token_key, distinct from the default pool password, they would
110 first use condor_store_cred to create the key:
111 $ openssl rand -base64 32 | condor_store_cred -f /etc/condor/passwords.d/token_key
113 Note, in this case, we created a random 32 character key using SSL in‐
115 stead of providing a human-friendly password.
116 Next, the administrator would run run condor_token_create:
118 $ condor_token_create -identity frida@cs.wisc.edu -key token_key
120 eyJhbGciOiJIUzI1NiIsImtpZCI6I.....eyJpYXQiOUzlN6QA
121 If the token_key file is deleted from the SEC_PASSWORD_DIRECTORY, then
123 all of the tokens issued with that key will be invalidated.
124
126 condor_token_create will exit with a non-zero status value if it fails
127 to read the password file, sign the token, write the output, or experi‐
128 ences some other error. Otherwise, it will exit 0.
129
131 condor_store_cred(1), condor_token_fetch(1), condor_token_request(1),
132 condor_token_list(1)
133
135 Center for High Throughput Computing, University of Wisconsin-Madison
136
138 Copyright © 1990-2019 Center for High Throughput Computing, Computer
139 Sciences Department, University of Wisconsin-Madison, Madison, WI. All
140 Rights Reserved. Licensed under the Apache License, Version 2.0.
141
143 HTCondor Team
144
146 1990-2023, Center for High Throughput Computing, Computer Sciences De‐
147 partment, University of Wisconsin-Madison, Madison, WI, US. Licensed
148 under the Apache License, Version 2.0.
149 Oct 02, 2023 CONDOR_TOKEN_CREATE(1)