condor_store_cred(1)

1CONDOR_STORE_CRED(1)            HTCondor Manual           CONDOR_STORE_CRED(1)
2
3
4

NAME

6       condor_store_cred - HTCondor Manual
7
8       securely stash a credential
9
10

SYNOPSIS

12       condor_store_cred -h
13
14       condor_store_cred action [ options ]
15

DESCRIPTION

17       condor_store_cred  stores  credentials  in  a secure manner.  There are
18       three actions, each of which can optionally be followed by a hyphen and
19       one of three types.
20
21       The actions are:
22
23          add[-type]
24                 Add credential to secure storage
25
26          delete[-type]
27                 Remove credential from secure storage
28
29          query[-type]
30                 Check if a credential has been stored
31
32       The types are:
33
34          -pwd   Credential is a password (default)
35
36          -krb   Credential is a Kerberos/AFS token
37
38          -oauth Credential is Scitoken or Oauth2 token
39
40       Credentials  are  stashed  in  a persistent manner; they are maintained
41       across system reboots.  When adding a credential, if there is already a
42       credential  stashed,  the old credential will be overwritten by the new
43       one.
44
45       There  are  two  separate  uses  of  the  password  actions   of   con‐
46       dor_store_cred:
47
48       1. A  shared pool password is needed in order to implement the PASSWORD
49          authentication method. condor_store_cred using the -c  option  deals
50          with  the  password  for  the implied condor_pool@$(UID_DOMAIN) user
51          name.
52
53          On a Unix machine, condor_store_cred add[-pwd] with the -f option is
54          used to set the pool password, as needed when used with the PASSWORD
55          authentication method. The pool password is placed in a file  speci‐
56          fied by the SEC_PASSWORD_FILE configuration variable.
57
58       2. In order to submit a job from a Windows platform machine, or to exe‐
59          cute a job on a Windows platform machine utilizing the  run_as_owner
60          functionality,  condor_store_cred add[-pwd] stores the password of a
61          user/domain pair securely in the Windows registry. Using this stored
62          password,  HTCondor  may act on behalf of the submitting user to ac‐
63          cess files, such as writing output or log files. HTCondor is able to
64          run  jobs  with  the user ID of the submitting user. The password is
65          stored in the same manner as the system does when setting or  chang‐
66          ing account passwords.
67
68       Unless the -p argument is used with the add or add-pwd action, the user
69       is prompted to enter the password twice for confirmation,  and  charac‐
70       ters are not echoed.
71
72       The  add-krb and add-oauth actions must be used with the -i argument to
73       specify a filename to read from.
74
75       The -oauth actions require a -s service name argument.  The -S  and  -A
76       options may be used with add-oauth to add scopes and/or audience to the
77       credentials or with query-oauth to make sure that the scopes  or  audi‐
78       ence  match  the previously stored credentials.  If either -S or -A are
79       used then the credentials must be in JSON format.
80

OPTIONS

82          -h     Displays a brief summary of command options.
83
84          -c     [-pwd] actions refer to the pool password,  as  used  in  the
85                 PASSWORD authentication method.
86
87          -f filename
88                 For  Unix machines only, generates a pool password file named
89                 filename that may be used with  the  PASSWORD  authentication
90                 method.
91
92          -i filename
93                 Read  credential  from filename.  If filename is -, read from
94                 stdin.  Required for add-krb and add-oauth.
95
96          -s service
97                 The Oauth2 service.  Required for all -oauth actions.
98
99          -H handle
100                 Specify a handle for the given OAuth2 service.
101
102          -S scopes
103                 Optional  comma-separated  list  of  scopes  to  request  for
104                 add-oauth action.  If used with the query-oauth action, makes
105                 sure that the same scopes were requested in the original cre‐
106                 dential.  Requires credentials to be in JSON format.
107
108          -A audience
109                 Optional  audience  to request for add-oauth action.  If used
110                 with the query-oauth action, makes sure that the  same  audi‐
111                 ence was requested in the original credential.  Requires cre‐
112                 dentials to be in JSON format.
113
114          -n machinename
115                 Apply the command on the given machine.
116
117          -p password
118                 Stores password, rather than prompting the user  to  enter  a
119                 password.
120
121          -u username
122                 Specify the user name.
123

EXIT STATUS

125       condor_store_cred  will  exit with a status value of 0 (zero) upon suc‐
126       cess.  If the query-oauth action finds a credential but the  scopes  or
127       audience don't match, condor_store_cred will exit with a status value 2
128       (two).  Otherwise, it will exit with the value 1 (one) upon failure.
129

AUTHOR

131       HTCondor Team
132

COPYRIGHT

134       1990-2023, Center for High Throughput Computing, Computer Sciences  De‐
135       partment,  University  of  Wisconsin-Madison, Madison, WI, US. Licensed
136       under the Apache License, Version 2.0.
137
138
139
140
141                                 Oct 02, 2023             CONDOR_STORE_CRED(1)