1CONDOR_TOKEN_REQUEST(1) HTCondor Manual CONDOR_TOKEN_REQUEST(1)
2
6 condor_token_request - HTCondor Manual
7 interactively request a token from a remote daemon for the IDTOKENS au‐
9 thentication method
10
13 condor_token_request [-identity user@domain] [-authz authz ...]
14 [-lifetime value] [-pool pool_name] [-name hostname] [-type type] [-to‐
15 ken filename]
16 condor_token_request [-help ]
18
20 condor_token_request will request an authentication token from a remote
21 daemon. Token requests must be approved by the daemon's administrator
22 using condor_token_request_approve. Unlike condor_token_fetch, the
23 user doesn't need an existing identity with the remote daemon when us‐
24 ing condor_token_request (an anonymous method, such as SSL without a
25 client certificate will suffice).
26 If the request is successfully enqueued, the request ID will be printed
28 to stderr; the administrator will need to know the ID to approve the
29 request. condor_token_request will wait until the request is approved,
30 timing out after an hour.
31 The token request mechanism provides a powerful way to bootstrap au‐
33 thentication in a HTCondor pool - a remote user can request an iden‐
34 tity, verify the authenticity of the request out-of-band with the re‐
35 mote daemon's administrator, and then securely recieve their authenti‐
36 cation token.
37 By default, condor_token_request will query the local condor_collector;
39 by specifying a combination of -pool, -name, or -type, the tool can re‐
40 quest tokens in other pools, on other hosts, or different daemon types.
41 If successful, the resulting token will be sent to stdout; by specify‐
43 ing the -token option, it will instead be written to the user's token
44 directory.
45
47 -authz authz
48 Adds a restriction to the token so it is only valid to be
49 used for a given authorization level (such as READ, WRITE,
50 DAEMON, ADVERTISE_STARTD). If multiple authorizations are
51 needed, then -authz must be specified multiple times. If
52 -authz is not specified, no authorization restrictions are
53 added and authorization will be solely based on the token's
54 identity. NOTE that -authz cannot be used to give an iden‐
55 tity additional permissions at the remote host. If the
56 server's admin only permits the user READ authorization, then
57 specifying -authz WRITE in a token will not allow the user to
58 perform writes.
59 -debug Causes debugging information to be sent to stderr, based on
61 the value of the configuration variable TOOL_DEBUG.
62 -help Display brief usage information and exit.
64 -identity user@domain
66 Request a specific identity from the daemon; a client using
67 the resulting token will authenticate as this identity with a
68 remote server. If not specified, the token will be issued
69 for the condor identity.
70 -lifetime value
72 Specify the lifetime, in seconds, for the token to be valid
73 (the token validity will start when the token is signed).
74 After the lifetime expires, the token cannot be used for au‐
75 thentication. If not specified, the token will contain no
76 lifetime restrictions.
77 -name hostname
79 Request a token from the daemon named hostname in the pool.
80 If not specified, the locally-running daemons will be used.
81 -pool pool_name
83 Request a token from a daemon in a non-default pool
84 pool_name.
85 -token filename
87 Specifies a filename, relative to the directory in the
88 SEC_TOKEN_DIRECTORY configuration variable (defaulting to
89 ~/.condor/tokens.d), where the resulting token is stored. If
90 not specified, the token will be sent to stdout.
91 -type type
93 Request a token from a specific daemon type type. If not
94 given, a condor_collector is used.
95
97 To obtain a token with a lifetime of 10 minutes from the default con‐
98 dor_collector (the token is not returned until the daemon's administra‐
99 tor takes action):
100 $ condor_token_request -lifetime 600
102 Token request enqueued. Ask an administrator to please approve request 6108900.
103 eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...ii7lAfCA
104 To request a token from bird.cs.wisc.edu which is limited to READ and
106 WRITE:
107 $ condor_token_request -name bird.cs.wisc.edu \
109 -identity bucky@cs.wisc.edu
110 -authz READ -authz WRITE
111 Token request enqueued. Ask an administrator to please approve request 2578154
112 eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...lJTj54
113 To create a token from the collector in the htcondor.cs.wisc.edu pool
115 and then to save it to ~/.condor/tokens.d/friend:
116 $ condor_token_request -pool htcondor.cs.wisc.edu \
118 -identity friend@cs.wisc.edu \
119 -lifetime 600 -token friend
120 Token request enqueued. Ask an administrator to please approve request 2720841.
121
123 condor_token_request will exit with a non-zero status value if it fails
124 to request or recieve the token. Otherwise, it will exit 0.
125
127 condor_token_create(1), condor_token_fetch(1), condor_token_request_ap‐
128 prove(1), condor_token_request_auto_approve(1), condor_token_list(1)
129
131 Center for High Throughput Computing, University of Wisconsin-Madison
132
134 Copyright © 1990-2019 Center for High Throughput Computing, Computer
135 Sciences Department, University of Wisconsin-Madison, Madison, WI. All
136 Rights Reserved. Licensed under the Apache License, Version 2.0.
137
139 HTCondor Team
140
142 1990-2023, Center for High Throughput Computing, Computer Sciences De‐
143 partment, University of Wisconsin-Madison, Madison, WI, US. Licensed
144 under the Apache License, Version 2.0.
145 Oct 02, 2023 CONDOR_TOKEN_REQUEST(1)