.\" Man page generated from reStructuredText. . . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .TH "CONDOR_STORE_CRED" "1" "Apr 01, 2024" "" "HTCondor Manual" .SH NAME condor_store_cred \- HTCondor Manual .sp securely stash a credential .SH SYNOPSIS .sp \fBcondor_store_cred\fP \fB\-h\fP .sp \fBcondor_store_cred\fP action [ \fIoptions\fP ] .SH DESCRIPTION .sp \fIcondor_store_cred\fP stores credentials in a secure manner. There are three actions, each of which can optionally be followed by a hyphen and one of three types. .sp The actions are: .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 .TP \fBadd[\-type]\fP Add credential to secure storage .TP \fBdelete[\-type]\fP Remove credential from secure storage .TP \fBquery[\-type]\fP Check if a credential has been stored .UNINDENT .UNINDENT .UNINDENT .sp The types are: .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 .TP \fB\-pwd\fP Credential is a password (default) .TP \fB\-krb\fP Credential is a Kerberos/AFS token .TP \fB\-oauth\fP Credential is Scitoken or Oauth2 token .UNINDENT .UNINDENT .UNINDENT .sp Credentials are stashed in a persistent manner; they are maintained across system reboots. When adding a credential, if there is already a credential stashed, the old credential will be overwritten by the new one. .sp There are two separate uses of the password actions of \fIcondor_store_cred\fP: .INDENT 0.0 .IP 1. 3 A shared pool password is needed in order to implement the \fBPASSWORD\fP authentication method. \fIcondor_store_cred\fP using the \fB\-c\fP option deals with the password for the implied condor_pool@$(UID_DOMAIN) user name. .sp On a Unix machine, \fIcondor_store_cred add[\-pwd]\fP with the \fB\-f\fP option is used to set the pool password, as needed when used with the \fBPASSWORD\fP authentication method. The pool password is placed in a file specified by the \fI\%SEC_PASSWORD_FILE\fP configuration variable. .IP 2. 3 In order to submit a job from a Windows platform machine, or to execute a job on a Windows platform machine utilizing the \fI\%run_as_owner\fP functionality, \fIcondor_store_cred add[\-pwd]\fP stores the password of a user/domain pair securely in the Windows registry. Using this stored password, HTCondor may act on behalf of the submitting user to access files, such as writing output or log files. HTCondor is able to run jobs with the user ID of the submitting user. The password is stored in the same manner as the system does when setting or changing account passwords. .UNINDENT .sp Unless the \fI\-p\fP argument is used with the \fIadd\fP or \fIadd\-pwd\fP action, the user is prompted to enter the password twice for confirmation, and characters are not echoed. .sp The \fIadd\-krb\fP and \fIadd\-oauth\fP actions must be used with the \fI\-i\fP argument to specify a filename to read from. .sp The \fI\-oauth\fP actions require a \fI\-s\fP service name argument. The \fI\-S\fP and \fI\-A\fP options may be used with \fIadd\-oauth\fP to add scopes and/or audience to the credentials or with \fIquery\-oauth\fP to make sure that the scopes or audience match the previously stored credentials. If either \fI\-S\fP or \fI\-A\fP are used then the credentials must be in JSON format. .SH OPTIONS .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 .TP \fB\-h\fP Displays a brief summary of command options. .TP \fB\-c\fP \fI[\-pwd]\fP actions refer to the pool password, as used in the \fBPASSWORD\fP authentication method. .TP \fB\-f\fP \fIfilename\fP For Unix machines only, generates a pool password file named \fIfilename\fP that may be used with the \fBPASSWORD\fP authentication method. .TP \fB\-i\fP \fIfilename\fP Read credential from \fIfilename\fP\&. If \fIfilename\fP is \fI\-\fP, read from stdin. Required for \fIadd\-krb\fP and \fIadd\-oauth\fP\&. .TP \fB\-s\fP \fIservice\fP The Oauth2 service. Required for all \fI\-oauth\fP actions. .TP \fB\-H\fP \fIhandle\fP Specify a handle for the given OAuth2 service. .TP \fB\-S\fP \fIscopes\fP Optional comma\-separated list of scopes to request for \fIadd\-oauth\fP action. If used with the \fIquery\-oauth\fP action, makes sure that the same scopes were requested in the original credential. Requires credentials to be in JSON format. .TP \fB\-A\fP \fIaudience\fP Optional audience to request for \fIadd\-oauth\fP action. If used with the \fIquery\-oauth\fP action, makes sure that the same audience was requested in the original credential. Requires credentials to be in JSON format. .TP \fB\-n\fP \fImachinename\fP Apply the command on the given machine. .TP \fB\-p\fP \fIpassword\fP Stores \fIpassword\fP, rather than prompting the user to enter a password. .TP \fB\-u\fP \fIusername\fP Specify the user name. .UNINDENT .UNINDENT .UNINDENT .SH EXIT STATUS .sp \fIcondor_store_cred\fP will exit with a status value of 0 (zero) upon success. If the \fIquery\-oauth\fP action finds a credential but the scopes or audience don\(aqt match, \fIcondor_store_cred\fP will exit with a status value 2 (two). Otherwise, it will exit with the value 1 (one) upon failure. .SH AUTHOR HTCondor Team .SH COPYRIGHT 1990-2024, Center for High Throughput Computing, Computer Sciences Department, University of Wisconsin-Madison, Madison, WI, US. Licensed under the Apache License, Version 2.0. .\" Generated by docutils manpage writer. .