From 7590beb30837564ec7ae2f413a0d6439aee3412d Mon Sep 17 00:00:00 2001 From: ILCDIRAC Date: Thu, 30 May 2024 13:51:53 +0200 Subject: [PATCH] feat(HTCondorCE): add option to submit with SSL set UseSSLSubmission = True to a computing element and provide the local userkey and usercert files in coordination with participating Sites as they have to configure DN of the submitting user --- .../Computing/HTCondorCEComputingElement.py | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py b/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py index dc0c2f1f7d7..aba38e81c2b 100644 --- a/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py +++ b/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py @@ -27,6 +27,10 @@ then one does not need to run condor daemons on the submit machine. If True requires the condor grid middleware (condor_submit, condor_history, condor_q, condor_rm) +UseSSLSubmission: + If 'True', use SSL via a DN configured at the given computing element to submit jobs. + This is a bridge feature until everyone is capable to use Tokens to submit to computing elements. + WorkingDirectory: Location to store the pilot and condor log files locally. It should exist on the server and be accessible (both readable and writeable). Also temporary files like condor submit files are kept here. This option is only read @@ -62,7 +66,7 @@ from DIRAC.WorkloadManagementSystem.Client import PilotStatus from DIRAC.WorkloadManagementSystem.Client.PilotManagerClient import PilotManagerClient from DIRAC.FrameworkSystem.private.authorization.utils.Tokens import writeToTokenFile -from DIRAC.Core.Security.Locations import getCAsLocation +from DIRAC.Core.Security.Locations import getCAsLocation, getCertificateAndKeyLocation from DIRAC.Resources.Computing.BatchSystems.Condor import HOLD_REASON_SUBCODE, subTemplate, parseCondorStatus MANDATORY_PARAMETERS = ["Queue"] @@ -104,6 +108,7 @@ def __init__(self, ceUniqueID): gConfig.getValue("Resources/Computing/HTCondorCE/WorkingDirectory", DEFAULT_WORKINGDIRECTORY), ) self.useLocalSchedd = True + self.useSSLSubmission = False self.remoteScheddOptions = "" self.tokenFile = None @@ -217,6 +222,11 @@ def _reset(self): "" if self.useLocalSchedd else f"-pool {self.ceName}:{self.port} -name {self.ceName} " ) + self.useSSLSubmission = self.ceParameters.get("UseSSLSubmission", self.useSSLSubmission) + if isinstance(self.useSSLSubmission, str): + if self.useSSLSubmission == "True": + self.useSSLSubmission = True + self.log.debug("Using local schedd:", self.useLocalSchedd) self.log.debug("Remote scheduler option:", self.remoteScheddOptions) return S_OK() @@ -239,6 +249,19 @@ def _executeCondorCommand(self, cmd, keepTokenFile=False): htcEnv = { "_CONDOR_SEC_CLIENT_AUTHENTICATION_METHODS": "GSI", } + + if self.useSSLSubmission: + htcEnv = { + "_condor_SEC_CLIENT_AUTHENTICATION_METHODS": "SSL", + "_condor_AUTH_SSL_CLIENT_CERTFILE": getCertificateAndKeyLocation()[0], + "_condor_AUTH_SSL_CLIENT_KEYFILE": getCertificateAndKeyLocation()[1], + "_condor_AUTH_SSL_CLIENT_CADIR": getCAsLocation(), + "_condor_AUTH_SSL_SERVER_CADIR": getCAsLocation(), + "_condor_AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR": "false", + "_condor_AUTH_SSL_SERVER_CAFILE": "", + "_condor_AUTH_SSL_CLIENT_CAFILE": "", + } + # If a token is present, then we use it (overriding htcEnv) if self.token: # Create a new token file if we do not keep it across several calls