1CONDOR_TOKEN_FETCH(1)           HTCondor Manual          CONDOR_TOKEN_FETCH(1)
2
3
4

NAME

6       condor_token_fetch - HTCondor Manual
7
8       obtain  a  token  from  a remote daemon for the IDTOKENS authentication
9       method
10
11

SYNOPSIS

13       condor_token_fetch  [-authz  authz  ...]   [-lifetime   value]   [-pool
14       pool_name]  [-name hostname] [-type type] [-token filename] [-key sign‐
15       ing_key]
16
17       condor_token_fetch [-help ]
18

DESCRIPTION

20       condor_token_fetch will attempt to fetch an authentication token from a
21       remote  daemon.  If successful, the identity embedded in the token will
22       be the same as client's identity at the remote daemon.
23
24       Authentication tokens are a useful mechanism to limit an identity's au‐
25       thorization  or  to  establish an alternate authentication method.  For
26       example, an administrator may utilize condor_token_fetch  to  create  a
27       token for a monitoring host that is limited to only the READ authoriza‐
28       tion.  A user may use condor_token_fetch while they are logged in to  a
29       submit  host then use the resulting token to submit remotely from their
30       personal laptop.
31
32       If the -lifetime or (one or more) -authz options are specified, the to‐
33       ken  will  contain  additional  restrictions that limit what the client
34       will be authorized to do.
35
36       By default, condor_token_fetch will query the local  condor_schedd;  by
37       specifying  a  combination  of -pool, -name, or -type, the tool can re‐
38       quest tokens in other pools, on other hosts, or different daemon types.
39
40       If successful, the resulting token will be sent to stdout; by  specify‐
41       ing  the  -token option, it will instead be written to the user's token
42       directory.
43

OPTIONS

45          -authz authz
46                 Adds a restriction to the token so it is  only  valid  to  be
47                 used  for  a  given authorization level (such as READ, WRITE,
48                 DAEMON, ADVERTISE_STARTD).  If  multiple  authorizations  are
49                 needed,  then  -authz  must  be specified multiple times.  If
50                 -authz is not specified, no  authorization  restrictions  are
51                 added  and  authorization will be solely based on the token's
52                 identity.  NOTE that -authz cannot be used to give  an  iden‐
53                 tity  additional  permissions  at  the  remote  host.  If the
54                 server's admin only permits the user READ authorization, then
55                 specifying -authz WRITE in a token will not allow the user to
56                 perform writes.
57
58          -debug Causes debugging information to be sent to stderr,  based  on
59                 the value of the configuration variable TOOL_DEBUG.
60
61          -help  Display brief usage information and exit.
62
63          -lifetime value
64                 Specify  the  lifetime, in seconds, for the token to be valid
65                 (the token validity will start when  the  token  is  signed).
66                 After  the lifetime expires, the token cannot be used for au‐
67                 thentication.  If not specified, the token  will  contain  no
68                 lifetime restrictions.
69
70          -name hostname
71                 Request  a  token from the daemon named hostname in the pool.
72                 If not specified, the locally-running daemons will be used.
73
74          -pool pool_name
75                 Request  a  token  from  a  daemon  in  a  non-default   pool
76                 pool_name.
77
78          -token filename
79                 Specifies  a  filename,  relative  to  the  directory  in the
80                 SEC_TOKEN_DIRECTORY  configuration  variable  (defaulting  to
81                 ~/.condor/tokens.d), where the resulting token is stored.  If
82                 not specified, the token will be sent to stdout.
83
84          -type type
85                 Request a token from a specific daemon  type  type.   If  not
86                 given, a condor_schedd is used.
87
88          -key signing_key
89                 Request  a token signed by the signing key named signing_key.
90                 If not given, the daemon's default key will be used.
91

EXAMPLES

93       To obtain a token with a lifetime of 10 minutes from the  default  con‐
94       dor_schedd:
95
96          $ condor_token_fetch -lifetime 600
97          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...ii7lAfCA
98
99       To  request  a token from bird.cs.wisc.edu which is limited to READ and
100       WRITE:
101
102          $ condor_token_fetch -name bird.cs.wisc.edu \
103                                -authz READ -authz WRITE
104          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...lJTj54
105
106       To create a token from the collector in the  htcondor.cs.wisc.edu  pool
107       and then to save it to ~/.condor/tokens.d/friend:
108
109          $ condor_token_fetch -identity friend@cs.wisc.edu -lifetime 600 -token friend
110

EXIT STATUS

112       condor_token_fetch  will  exit with a non-zero status value if it fails
113       to request or read the token.  Otherwise, it will exit 0.
114

SEE ALSO

116       condor_token_create(1), condor_token_request(1), condor_token_list(1)
117

AUTHOR

119       Center for High Throughput Computing, University of Wisconsin-Madison
120

COPYRIGHT

122       Copyright © 1990-2019 Center for High  Throughput  Computing,  Computer
123       Sciences  Department, University of Wisconsin-Madison, Madison, WI. All
124       Rights Reserved. Licensed under the Apache License, Version 2.0.
125

AUTHOR

127       HTCondor Team
128

COPYRIGHT

130       1990-2023, Center for High Throughput Computing, Computer Sciences  De‐
131       partment,  University  of  Wisconsin-Madison, Madison, WI, US. Licensed
132       under the Apache License, Version 2.0.
133
134
135
136
137                                 Oct 02, 2023            CONDOR_TOKEN_FETCH(1)