Provided by: condor_23.4.0+dfsg-1ubuntu4.1_amd64 bug

NAME

       condor_token_request - HTCondor Manual

       interactively request a token from a remote daemon for the IDTOKENS authentication method

SYNOPSIS

       condor_token_request  [-identity  user@domain]  [-authz  authz  ...]  [-lifetime value] [-pool pool_name]
       [-name hostname] [-type type] [-token filename]

       condor_token_request [-help ]

DESCRIPTION

       condor_token_request will request an authentication token from a remote daemon. Token  requests  must  be
       approved  by  the  daemon's administrator using condor_token_request_approve.  Unlike condor_token_fetch,
       the user doesn't need an existing identity with the remote daemon  when  using  condor_token_request  (an
       anonymous method, such as SSL without a client certificate will suffice).

       If the request is successfully enqueued, the request ID will be printed to stderr; the administrator will
       need  to  know  the  ID  to  approve  the  request.   condor_token_request will wait until the request is
       approved, timing out after an hour.

       The token request mechanism provides a powerful way to bootstrap authentication in a HTCondor  pool  -  a
       remote  user  can request an identity, verify the authenticity of the request out-of-band with the remote
       daemon's administrator, and then securely recieve their authentication token.

       By default, condor_token_request will query the local condor_collector; by specifying  a  combination  of
       -pool,  -name,  or -type, the tool can request tokens in other pools, on other hosts, or different daemon
       types.

       If successful, the resulting token will be sent to stdout; by  specifying  the  -token  option,  it  will
       instead be written to the user's token directory.

OPTIONS

          -authz authz
                 Adds  a restriction to the token so it is only valid to be used for a given authorization level
                 (such as READ, WRITE, DAEMON, ADVERTISE_STARTD).  If multiple authorizations are  needed,  then
                 -authz  must  be  specified  multiple  times.   If  -authz  is  not specified, no authorization
                 restrictions are added and authorization will be solely based on the  token's  identity.   NOTE
                 that  -authz  cannot be used to give an identity additional permissions at the remote host.  If
                 the server's admin only permits the user READ authorization, then specifying -authz WRITE in  a
                 token will not allow the user to perform writes.

          -debug Causes  debugging  information  to  be  sent to stderr, based on the value of the configuration
                 variable TOOL_DEBUG.

          -help  Display brief usage information and exit.

          -identity user@domain
                 Request a specific  identity  from  the  daemon;  a  client  using  the  resulting  token  will
                 authenticate as this identity with a remote server.  If not specified, the token will be issued
                 for the condor identity.

          -lifetime value
                 Specify the lifetime, in seconds, for the token to be valid (the token validity will start when
                 the token is signed).  After the lifetime expires, the token cannot be used for authentication.
                 If not specified, the token will contain no lifetime restrictions.

          -name hostname
                 Request  a  token  from  the  daemon  named  hostname  in  the  pool.   If  not  specified, the
                 locally-running daemons will be used.

          -pool pool_name
                 Request a token from a daemon in a non-default pool pool_name.

          -token filename
                 Specifies a filename, relative  to  the  directory  in  the  SEC_TOKEN_DIRECTORY  configuration
                 variable  (defaulting  to  ~/.condor/tokens.d),  where  the  resulting token is stored.  If not
                 specified, the token will be sent to stdout.

          -type type
                 Request a token from a specific daemon type type.  If not given, a condor_collector is used.

EXAMPLES

       To obtain a token with a lifetime of 10 minutes from the  default  condor_collector  (the  token  is  not
       returned until the daemon's administrator takes action):

          $ condor_token_request -lifetime 600
          Token request enqueued.  Ask an administrator to please approve request 6108900.
          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...ii7lAfCA

       To request a token from bird.cs.wisc.edu which is limited to READ and WRITE:

          $ condor_token_request -name bird.cs.wisc.edu \
                                 -identity bucky@cs.wisc.edu
                                 -authz READ -authz WRITE
          Token request enqueued.  Ask an administrator to please approve request 2578154
          eyJhbGciOiJIUzI1NiIsImtpZCI6IlBPT0wifQ.eyJpYX...lJTj54

       To  create  a  token  from  the  collector  in  the  htcondor.cs.wisc.edu  pool  and  then  to save it to
       ~/.condor/tokens.d/friend:

          $ condor_token_request -pool htcondor.cs.wisc.edu \
                               -identity friend@cs.wisc.edu \
                               -lifetime 600 -token friend
          Token request enqueued.  Ask an administrator to please approve request 2720841.

EXIT STATUS

       condor_token_request will exit with a non-zero status value if it fails to request or recieve the  token.
       Otherwise, it will exit 0.

SEE ALSO

       condor_token_create(1),              condor_token_fetch(1),              condor_token_request_approve(1),
       condor_token_request_auto_approve(1), condor_token_list(1)

AUTHOR

       Center for High Throughput Computing, University of Wisconsin-Madison

AUTHOR

       HTCondor Team

COPYRIGHT

       1990-2024, Center for High Throughput Computing, Computer Sciences Department, University  of  Wisconsin-
       Madison, Madison, WI, US. Licensed under the Apache License, Version 2.0.

                                                  Aug 25, 2024                           CONDOR_TOKEN_REQUEST(1)