given a password file, create an authentication token for the IDTOKENS authentication method
condor_token_create -identity user@domain [-key keyid] [-authz authz …] [-lifetime value] [-token filename] [-debug]
condor_token_create [-help ]
condor_token_create will read an HTCondor password file inside the SEC_PASSWORD_DIRECTORY (by default, this is the pool password) and use it to create an authentication token. The authentication token may be subsequently used by clients to authenticate against a remote HTCondor server. Tokens allow fine-grained authentication as individual HTCondor users as opposed to pool password, where anything in possession of the pool password will authenticate as the same user.
An identity must be specified for the token; this will be the client’s resulting identity at the remote HTCondor server. If the -lifetime or (one or more) -authz options are specified, the token will contain additional restrictions that limit what the client will be authorized to do. If an attacker is able to access the token, they will be able to authenticate with the identity listed in the token (subject to the restrictions above).
If successful, the resulting token will be sent to
stdout; by specifying
the -token option, it will instead be written to the user’s token directory.
If written to SEC_TOKEN_SYSTEM_DIRECTORY (default
then the token can be used for daemon-to-daemon authentication.
condor_token_create is only currently supported on Unix platforms.
- -authz authz
Adds a restriction to the token so it is only valid to be used for a given authorization level (such as
ADVERTISE_STARTD). If multiple authorizations are needed, then -authz must be specified multiple times. If -authz is not specified, no authorization restrictions are added and authorization will be solely based on the token’s identity. NOTE that -authz cannot be used to give an identity additional permissions at the remote host. If the server’s admin only permits the user
READauthorization, then specifying
-authz WRITEin a token will not allow the user to perform writes.
Causes debugging information to be sent to
stderr, based on the value of the configuration variable TOOL_DEBUG.
Display brief usage information and exit.
- -identity user@domain
Set a specific client identity to be written into the token; a client will authenticate as this identity with a remote server.
- -key keyid
Specify a key file to use under the directory specified by the SEC_PASSWORD_DIRECTORY configuration variable. The key name must match a file in the password directory; the file’s contents must be created with condor_store_cred and will be used to sign the resulting token. If -key is not set, then the default pool password will be used.
- -lifetime value
Specify the lifetime, in seconds, for the token to be valid (the token validity will start when the token is signed). After the lifetime expires, the token cannot be used for authentication. If not specified, the token will contain no lifetime restrictions.
- -token filename
Specifies a filename, relative to the directory in the SEC_TOKEN_DIRECTORY configuration variable (for example, on Linux this defaults to
~/.condor/tokens.d), where the resulting token is stored. If not specified, the token will be sent to
To create a token for
firstname.lastname@example.org with no additional restrictions:
$ condor_token_create -identity email@example.com
To create a token for
firstname.lastname@example.org that may advertise either
a condor_startd or a condor_master:
$ condor_token_create -identity email@example.com \
-authz ADVERTISE_STARTD \
To create a token for
firstname.lastname@example.org that is only valid for 10 minutes,
and then to save it to
$ condor_token_create -identity email@example.com -lifetime 600 -token friend
If the administrator would like to create a specific key for signing tokens,
distinct from the default pool password, they would first use condor_store_cred
to create the key:
$ openssl rand -base64 32 | condor_store_cred -f /etc/condor/passwords.d/token_key
Note, in this case, we created a random 32 character key using SSL instead of providing a human-friendly password.
Next, the administrator would run run condor_token_create:
$ condor_token_create -identity firstname.lastname@example.org -key token_key
token_key file is deleted from the SEC_PASSWORD_DIRECTORY, then all of
the tokens issued with that key will be invalidated.
condor_token_create will exit with a non-zero status value if it fails to read the password file, sign the token, write the output, or experiences some other error. Otherwise, it will exit 0.
condor_store_cred(1), condor_token_fetch(1), condor_token_request(1), condor_token_list(1)