Reworking the OSG-Connect "local signing mode"
瀏覽次數:8 次
跳到第一則未讀訊息
Brian Bockelman
2019年2月7日 晚上10:28:022019/2/7
收件者:SciTokens Discussion
Hi all,
I was able to get the "local signing mode" used by OSG-Connect working again and integrated into the OAuth-based scitokens-credmon that Jason has been working on. See the pull request here:
(simple instructions are here: https://github.com/htcondor/scitokens-credmon/blob/f731fe1e876a682a4071fb0a0b89efe45c94a586/README.md)
When setup, the admin can configure a single "local signing mode" issuer, which is a bit of a disappointing limitation.
I also updated the ticket I had opened about supporting the local signing mode:
I'm driving it in a bit of a different direction -- I'd like the admin to be able to whitelist which providers work in this way and give these as a single request to the credmon via the existing interface. That would allow the user to specify more fine-grained tokens for their jobs than whatever-the-admin-set.
Finally, I'd note that "local signing mode" could be entirely self-hosted: the credmon itself could provide the '.well-known' URLs necessary for auto-discovering issuer keys. This would allow anyone willing to run our Flask app on a schedd to be able to run a simple SciTokens setup.
Brian
Derek Weitzel
2019年2月22日 上午11:47:562019/2/22
收件者:Brian Bockelman、SciTokens Discussion
Hi,
I tested this out, and it works as expected from the instructions in the main readme:
https://github.com/htcondor/scitokens-credmon
I installed condor from osg-upcoming-development, version condor-8.8.1-1.osgup.el7.x86_64 and the minicondor package. The credmon should get packages, but pip is ok.
A few notes:
- The local signer only supports elliptical curve?
- I tagged and released scitokens python package to add support for EC in the admin tools to create the key. This was merged 2 weeks ago, but just was never tagged and released.
The format of the token changed, so I will need to coordinate next week with the OSG Connect team to update stashcp, condor, and the credmon at the same time. HTCondor on the glideins can be updated now, and I have started that conversation. May be a tricky dance.
-Derek
> --
> You received this message because you are subscribed to the Google Groups "SciTokens Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@scitokens.org.
I tested this out, and it works as expected from the instructions in the main readme:
https://github.com/htcondor/scitokens-credmon
I installed condor from osg-upcoming-development, version condor-8.8.1-1.osgup.el7.x86_64 and the minicondor package. The credmon should get packages, but pip is ok.
A few notes:
- The local signer only supports elliptical curve?
- I tagged and released scitokens python package to add support for EC in the admin tools to create the key. This was merged 2 weeks ago, but just was never tagged and released.
The format of the token changed, so I will need to coordinate next week with the OSG Connect team to update stashcp, condor, and the credmon at the same time. HTCondor on the glideins can be updated now, and I have started that conversation. May be a tricky dance.
-Derek
> You received this message because you are subscribed to the Google Groups "SciTokens Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@scitokens.org.
回覆所有人
回覆作者
轉寄
0 則新訊息