Provided by: condor_23.4.0+dfsg-1ubuntu4.1_amd64 bug

NAME
       condor_token_fetch - HTCondor Manual

       obtain a token from a remote daemon for the IDTOKENS authentication method


SYNOPSIS
       condor_token_fetch  [-authz  authz ...] [-lifetime value] [-pool pool_name] [-name hostname] [-type type]
       [-token filename] [-key signing_key]

       condor_token_fetch [-help ]


DESCRIPTION
       condor_token_fetch will attempt to fetch an authentication token from a remote  daemon.   If  successful,
       the identity embedded in the token will be the same as client's identity at the remote daemon.

       Authentication  tokens  are  a  useful  mechanism to limit an identity's authorization or to establish an
       alternate authentication method.  For example, an administrator may utilize condor_token_fetch to  create
       a  token  for  a  monitoring  host  that  is  limited  to  only  the  READ authorization.  A user may use
       condor_token_fetch while they are logged in to a submit host then  use  the  resulting  token  to  submit
       remotely from their personal laptop.

       If  the  -lifetime  or  (one  or  more)  -authz  options are specified, the token will contain additional
       restrictions that limit what the client will be authorized to do.

       By default, condor_token_fetch will query the local condor_schedd; by specifying a combination of  -pool,
       -name, or -type, the tool can request tokens in other pools, on other hosts, or different daemon types.

       If  successful,  the  resulting  token  will  be sent to stdout; by specifying the -token option, it will
       instead be written to the user's token directory.


OPTIONS
          -authz authz
                 Adds a restriction to the token so it is only valid to be used for a given authorization  level
                 (such  as  READ, WRITE, DAEMON, ADVERTISE_STARTD).  If multiple authorizations are needed, then
                 -authz must be specified  multiple  times.   If  -authz  is  not  specified,  no  authorization
                 restrictions  are  added  and authorization will be solely based on the token's identity.  NOTE
                 that -authz cannot be used to give an identity additional permissions at the remote  host.   If
                 the  server's admin only permits the user READ authorization, then specifying -authz WRITE in a
                 token will not allow the user to perform writes.

          -debug Causes debugging information to be sent to stderr, based on  the  value  of  the  configuration
                 variable TOOL_DEBUG.

          -help  Display brief usage information and exit.

          -lifetime value
                 Specify the lifetime, in seconds, for the token to be valid (the token validity will start when
                 the token is signed).  After the lifetime expires, the token cannot be used for authentication.
                 If not specified, the token will contain no lifetime restrictions.

          -name hostname
                 Request  a  token  from  the  daemon  named  hostname  in  the  pool.   If  not  specified, the
                 locally-running daemons will be used.

          -pool pool_name
                 Request a token from a daemon in a non-default pool pool_name.

          -token filename
                 Specifies a filename, relative  to  the  directory  in  the  SEC_TOKEN_DIRECTORY  configuration
                 variable  (defaulting  to  ~/.condor/tokens.d),  where  the  resulting token is stored.  If not
                 specified, the token will be sent to stdout.

          -type type
                 Request a token from a specific daemon type type.  If not given, a condor_schedd is used.

          -key signing_key
                 Request a token signed by the signing key  named  signing_key.   If  not  given,  the  daemon's
                 default key will be used.


EXAMPLES
       To obtain a token with a lifetime of 10 minutes from the default condor_schedd:

          $ condor_token_fetch -lifetime 600
          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...ii7lAfCA

       To request a token from bird.cs.wisc.edu which is limited to READ and WRITE:

          $ condor_token_fetch -name bird.cs.wisc.edu \
                                -authz READ -authz WRITE
          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...lJTj54

       To  create  a  token  from  the  collector  in  the  htcondor.cs.wisc.edu  pool  and  then  to save it to
       ~/.condor/tokens.d/friend:

          $ condor_token_fetch -identity friend@cs.wisc.edu -lifetime 600 -token friend


EXIT STATUS
       condor_token_fetch will exit with a non-zero status value if it fails  to  request  or  read  the  token.
       Otherwise, it will exit 0.


SEE ALSO
       condor_token_create(1), condor_token_request(1), condor_token_list(1)


AUTHOR
       Center for High Throughput Computing, University of Wisconsin-Madison


AUTHOR
       HTCondor Team


COPYRIGHT
       1990-2024,  Center  for High Throughput Computing, Computer Sciences Department, University of Wisconsin-
       Madison, Madison, WI, US. Licensed under the Apache License, Version 2.0.

                                                  Aug 25, 2024                             CONDOR_TOKEN_FETCH(1)