Merge branch 'V23-branch' into V23_x-branch

Author: timtheisen

Makefile

@@ -138,9 +138,8 @@ CE_DEFAULT_CONFIG_FILES := \
 	contrib/apelscripts/50-ce-apel-defaults.conf
 
 CE_MAP_FILES := \
-	config/mapfiles.d/10-gsi.conf \
+	config/mapfiles.d/10-ssl.conf \
 	config/mapfiles.d/10-scitokens.conf \
-	config/mapfiles.d/50-gsi-callout.conf \
 	config/mapfiles.d/90-ban.conf
 
 CE_CONDOR_CONFIG_FILES := \

config/01-ce-auth.conf

@@ -10,7 +10,7 @@
 # By default, regular expressions in the second field of HTCondor-CE
 # mapfiles must be enclosed with '/'. For exmaple:
 #
-# GSI /(.*)/  GSS_ASSIST_GRIDMAP
+# SSL /(.*/CN=Jane)/  jane
 #
 # To restore the previous behavior where the second field is enclosed
 # in double-quotes and they are all treated as potential regular

config/01-common-auth-defaults.conf

@@ -15,7 +15,7 @@ use security:recommended_v9_0
 # Pool password directory for the CE and collector.
 SEC_PASSWORD_DIRECTORY = /etc/condor-ce/passwords.d
 
-# GSI settings
+# Authentication settings
 CERTIFICATE_MAPFILE=/etc/condor-ce/condor_mapfile
 
 # Alter SSL settings to work with both standard and grid file locations

config/05-ce-collector-auth.conf

@@ -10,14 +10,8 @@
 ###############################################################################
 
 # Allow site CEs to advertise to the central collector via SSL (SOFTWARE-3939)
-if version > 9.0.6
-  # 9.0.6 includes AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE (HTCONDOR-236)
-  COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL, GSI
-  COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL, GSI
-else
-  COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = GSI, SSL
-  COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = GSI, SSL
-endif
+COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL
+COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL
 
 # Allow CEs and XCache hosts not in the grid-mapfile to advertise to the central collector
 COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(COLLECTOR.ALLOW_ADVERTISE_SCHEDD), $(UNMAPPED_USERS), $(USERS)

config/05-ce-view-defaults.conf

@@ -51,7 +51,7 @@ else
     # CE View drops privs after startup to the condor user, which doesn't
     # have access to the host key for auth. Use FS auth instead.
     CEVIEW.SEC_CLIENT_AUTHENTICATION_METHODS = FS
-    MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI
+    MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS
 endif
 
 # Cherrypy does not respect SIGTERM signals from the master, so kill it (and everything else) quickly

config/condor-ce

@@ -15,10 +15,6 @@
 # /opt/condor
 # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH
 
-# Example: Have GSI authorization use a different plugin for Condor than the
-# rest of the system.
-# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf
-
 # Example: Have the HTCondor-CE use a different hostname from the rest of
 # the system.
 # export CONDORCE_HOSTNAME=condorce.example.com

config/condor-ce-collector

@@ -15,10 +15,6 @@
 # /opt/condor
 # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH
 
-# Example: Have GSI authorization use a different plugin for Condor than the
-# rest of the system.
-# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf
-
 # Example: Have the HTCondor-CE collector use a different hostname from the rest of
 # the system.
 # export CONDORCE_HOSTNAME=condorce.example.com

config/mapfiles.d/10-gsi.conf renamed to config/mapfiles.d/10-ssl.conf

@@ -6,8 +6,8 @@
 #
 ###############################################################################
 
-# Using GSI authentication for certificates requires the issuer CAs to be
-# installed in /etc/grid-security/certificates. If you would also like to
+# Using SSL authentication for IGTF certificates requires the issuer CAs to
+# be installed in /etc/grid-security/certificates. If you would also like to
 # authenticate VOMS attributes, *.lsc files should be installed in
 # /etc/grid-security/vomsdir/
 
@@ -16,16 +16,16 @@
 # with '\/') with the Distinguished Name (DN) of the incoming user certificate
 # and the unix account under which the job should run, respectively:
 #
-# GSI /<DISTINGUISHED NAME>/ <USERNAME>
+# SSL /<DISTINGUISHED NAME>/ <USERNAME>
 
 # VOMS attributes can also be used for mapping:
 #
-# GSI /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>
+# SSL /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>
 
 # The second field should be a Perl Compatible Regular Expression (PCRE), thus
 # allowing you to accept any DN with a given VOMS FQAN. For example, to map any
 # GLOW certificate with the 'htpc' role to the 'glow' user, add a line that
 # looks like the following:
 #
-# GSI /.*,\/GLOW\/Role=htpc.*/ glow
+# SSL /.*,\/GLOW\/Role=htpc.*/ glow
 #

config/mapfiles.d/50-gsi-callout.conf

@@ -303,9 +303,8 @@ getent passwd condorce_webapp >/dev/null || \
 %config(noreplace) %{_sysconfdir}/condor-ce/config.d/03-managed-fork.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/condor-ce
 
-%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-gsi.conf
+%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-ssl.conf
 %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-scitokens.conf
-%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/50-gsi-callout.conf
 %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/90-ban.conf
 
 %{_datadir}/condor-ce/config.d/01-ce-audit-payloads-defaults.conf

rpm/htcondor-ce.spec

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_config_val "$@"

src/condor_ce_config_val

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_history "$@"

src/condor_ce_history

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_hold "$@"

src/condor_ce_hold

@@ -7,7 +7,6 @@ missing_tool()
 }
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 CONDOR_BIN_DIR=$(/usr/bin/dirname $(/usr/bin/which condor_version 2> /dev/null ) 2> /dev/null ) 
 if [ -z "$CONDOR_BIN_DIR" ]; then
     missing_tool

src/condor_ce_job_router_info

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_off "$@"

src/condor_ce_off

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_on "$@"

src/condor_ce_on

@@ -1,7 +1,6 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 
 exec condor_ping "$@"
 

src/condor_ce_ping

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_q "$@"

src/condor_ce_q

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_qedit "$@"

src/condor_ce_qedit

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_reconfig "$@"

src/condor_ce_reconfig

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_release "$@"

src/condor_ce_release

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_reschedule "$@"

src/condor_ce_reschedule

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_restart "$@"

src/condor_ce_restart

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_rm "$@"

src/condor_ce_rm

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_router_q -S "$@"

src/condor_ce_router_q

@@ -234,7 +234,7 @@ def main():
     opts, args = parse_opts()
     if opts.remote:
         os.environ.setdefault("CONDOR_CONFIG", "/etc/condor-ce/condor_config")
-        os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
+        os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')
 
     if len(args) < 2:
         print("Usage: condor_ce_run <hostname> <command> [arg1] [arg2] [...]")

src/condor_ce_run

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_status "$@"

src/condor_ce_status

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_store_cred "$@"

src/condor_ce_store_cred

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_submit "$@"

src/condor_ce_submit

@@ -332,7 +332,7 @@ def main():
         raise ce.CondorRunException('ERROR: Could not find CE schedd at %s.\n' % job_info['schedd_name'] + \
                                     'Verify that the Scheduler daemon is up with `condor_ce_status -any`.')
 
-    os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
+    os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')
     check_authz(coll_ad, schedd_ad)
     try:
         job_info.update(ce.generate_job_files())

src/condor_ce_trace

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_transform_ads "$@"

src/condor_ce_transform_ads

@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_upgrade_check -ce "$@"

src/condor_ce_upgrade_check

@@ -1,7 +1,6 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 
 echo "\$HTCondorCEVersion: $(condor_ce_config_val HTCondorCEVersion | tr -d \") \$"
 exec condor_version "$@"