Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Give some sort of warning/error if a non-managed token production token was used in jobsub_submit #492

Open
shreyb opened this issue Nov 7, 2023 · 2 comments
Open

Give some sort of warning/error if a non-managed token production token was used in jobsub_submit #492

shreyb opened this issue Nov 7, 2023 · 2 comments
Labels
enhancement New feature or request proposed Hasn't been reviewed by the jobsub team. Don't do these until post-review (and then remove label)

Comments

@shreyb
Copy link
Collaborator

shreyb commented Nov 7, 2023

This is a request originating from Fermilab ServiceNow incident INC000001158064, submitted by @hgreenlee. He writes:

If jobsub_submit could predict based on the kind of token it is given that the submission would fail, that would be good.

He requests that we have some sort of token-checking mechanism for these non-default role tokens (production, MARS, etc.), that sees if they are generated from a managed token or not. This should be possible by checking the subject and groups field.

Background

The background for this is that it appears that either HTCondor, or the CredmonOAuth plugin for scitokens doesn't know how to handle multiple tokens that map to the same condor user. When jobsub used proxy auth, the mapping from credential to user was handled external to condor, and so we had the possibility for users with the Production role to submit jobs from both their own UNIX account, as well as a shared account associated with that role for their experiment. For example, if I had role Production with experiment Hypot, and the associated shared account was called hypotpro, I could submit Production jobs both from my own username, as well as from hypotpro, that, on the grid, would map to hypotpro.

Unfortunately, this does not seem to be possible with token auth. It is entirely possible for a production user to obtain a production-role token with a subject that maps back to their username (the analog to the user-subject production proxy), but the subsequent submission fails if a managed token is already stored in the relevant schedd's credd. The error message that the user gets back is not descriptive at all (something like condor_submit failed with exit code 1).
@shreyb shreyb added enhancement New feature or request proposed Hasn't been reviewed by the jobsub team. Don't do these until post-review (and then remove label) labels Nov 7, 2023
@marcmengel
Copy link
Contributor

The "condor_submit failed with exit code 1" and no other error was largely fixed in
https://github.com/fermitools/jobsub_lite/pull/479/files#diff-4247d9d2a5b7386fd2052176f8e7763eb3f0fb0164448a70e8c674c065ada182
where stderr of the condor_submit was getting swallowed.

So it would be interesting to see what if any error you get with jobsub_lite 1.5

@shreyb
Copy link
Collaborator Author

shreyb commented Nov 8, 2023

Maybe we do this as a first-order workaround:

  1. Get a list from FERRY of capability sets that map to a username (cache it in /tmp)
  2. If user is using non-standard role, and matches capability set, but is NOT the mapped user, we reject user

Roughly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request proposed Hasn't been reviewed by the jobsub team. Don't do these until post-review (and then remove label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcmengel @shreyb