htcondor · JaimeFrey · Oct 21, 2024 · Oct 17, 2024
diff --git a/Makefile b/Makefile
@@ -138,9 +138,8 @@ CE_DEFAULT_CONFIG_FILES := \
 	contrib/apelscripts/50-ce-apel-defaults.conf
 
 CE_MAP_FILES := \
-	config/mapfiles.d/10-gsi.conf \
+	config/mapfiles.d/10-ssl.conf \
 	config/mapfiles.d/10-scitokens.conf \
-	config/mapfiles.d/50-gsi-callout.conf \
 	config/mapfiles.d/90-ban.conf
 
 CE_CONDOR_CONFIG_FILES := \

diff --git a/config/01-ce-auth.conf b/config/01-ce-auth.conf
@@ -10,7 +10,7 @@
 # By default, regular expressions in the second field of HTCondor-CE
 # mapfiles must be enclosed with '/'. For exmaple:
 #
-# GSI /(.*)/  GSS_ASSIST_GRIDMAP
+# SSL /(.*/CN=Jane)/  jane
 #
 # To restore the previous behavior where the second field is enclosed
 # in double-quotes and they are all treated as potential regular

diff --git a/config/01-common-auth-defaults.conf b/config/01-common-auth-defaults.conf
@@ -15,7 +15,7 @@ use security:recommended_v9_0
 # Pool password directory for the CE and collector.
 SEC_PASSWORD_DIRECTORY = /etc/condor-ce/passwords.d
 
-# GSI settings
+# Authentication settings
 CERTIFICATE_MAPFILE=/etc/condor-ce/condor_mapfile
 
 # Alter SSL settings to work with both standard and grid file locations

diff --git a/config/05-ce-collector-auth.conf b/config/05-ce-collector-auth.conf
@@ -10,14 +10,8 @@
 ###############################################################################
 
 # Allow site CEs to advertise to the central collector via SSL (SOFTWARE-3939)
-if version > 9.0.6
-  # 9.0.6 includes AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE (HTCONDOR-236)
-  COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL, GSI
-  COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL, GSI
-else
-  COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = GSI, SSL
-  COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = GSI, SSL
-endif
+COLLECTOR.SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = SSL
+COLLECTOR.SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = SSL
 
 # Allow CEs and XCache hosts not in the grid-mapfile to advertise to the central collector
 COLLECTOR.ALLOW_ADVERTISE_SCHEDD = $(COLLECTOR.ALLOW_ADVERTISE_SCHEDD), $(UNMAPPED_USERS), $(USERS)

diff --git a/config/05-ce-view-defaults.conf b/config/05-ce-view-defaults.conf
@@ -51,7 +51,7 @@ else
     # CE View drops privs after startup to the condor user, which doesn't
     # have access to the host key for auth. Use FS auth instead.
     CEVIEW.SEC_CLIENT_AUTHENTICATION_METHODS = FS
-    MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, GSI
+    MASTER.SEC_DEFAULT_AUTHENTICATION_METHODS = FS
 endif
 
 # Cherrypy does not respect SIGTERM signals from the master, so kill it (and everything else) quickly

diff --git a/config/condor-ce b/config/condor-ce
@@ -15,10 +15,6 @@
 # /opt/condor
 # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH
 
-# Example: Have GSI authorization use a different plugin for Condor than the
-# rest of the system.
-# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf
-
 # Example: Have the HTCondor-CE use a different hostname from the rest of
 # the system.
 # export CONDORCE_HOSTNAME=condorce.example.com

diff --git a/config/condor-ce-collector b/config/condor-ce-collector
@@ -15,10 +15,6 @@
 # /opt/condor
 # export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH
 
-# Example: Have GSI authorization use a different plugin for Condor than the
-# rest of the system.
-# export GSI_AUTHZ_CONF=/etc/condor-ce/gsi-authz.conf
-
 # Example: Have the HTCondor-CE collector use a different hostname from the rest of
 # the system.
 # export CONDORCE_HOSTNAME=condorce.example.com

diff --git a/config/mapfiles.d/10-gsi.conf → config/mapfiles.d/10-ssl.conf b/config/mapfiles.d/10-gsi.conf → config/mapfiles.d/10-ssl.conf
@@ -6,8 +6,8 @@
 #
 ###############################################################################
 
-# Using GSI authentication for certificates requires the issuer CAs to be
-# installed in /etc/grid-security/certificates. If you would also like to
+# Using SSL authentication for IGTF certificates requires the issuer CAs to
+# be installed in /etc/grid-security/certificates. If you would also like to
 # authenticate VOMS attributes, *.lsc files should be installed in
 # /etc/grid-security/vomsdir/
 
@@ -16,16 +16,16 @@
 # with '\/') with the Distinguished Name (DN) of the incoming user certificate
 # and the unix account under which the job should run, respectively:
 #
-# GSI /<DISTINGUISHED NAME>/ <USERNAME>
+# SSL /<DISTINGUISHED NAME>/ <USERNAME>
 
 # VOMS attributes can also be used for mapping:
 #
-# GSI /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>
+# SSL /<DISTINGUISHED NAME>,<VOMS FQAN 1>,<VOMS FQAN 2>,...,<VOMSFQAN N>/ <USERNAME>
 
 # The second field should be a Perl Compatible Regular Expression (PCRE), thus
 # allowing you to accept any DN with a given VOMS FQAN. For example, to map any
 # GLOW certificate with the 'htpc' role to the 'glow' user, add a line that
 # looks like the following:
 #
-# GSI /.*,\/GLOW\/Role=htpc.*/ glow
+# SSL /.*,\/GLOW\/Role=htpc.*/ glow
 #
diff --git a/config/mapfiles.d/50-gsi-callout.conf b/config/mapfiles.d/50-gsi-callout.conf
diff --git a/rpm/htcondor-ce.spec b/rpm/htcondor-ce.spec
@@ -303,9 +303,8 @@ getent passwd condorce_webapp >/dev/null || \
 %config(noreplace) %{_sysconfdir}/condor-ce/config.d/03-managed-fork.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/condor-ce
 
-%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-gsi.conf
+%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-ssl.conf
 %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/10-scitokens.conf
-%config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/50-gsi-callout.conf
 %config(noreplace) %{_sysconfdir}/condor-ce/mapfiles.d/90-ban.conf
 
 %{_datadir}/condor-ce/config.d/01-ce-audit-payloads-defaults.conf

diff --git a/src/condor_ce_config_val b/src/condor_ce_config_val
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_config_val "$@"
diff --git a/src/condor_ce_history b/src/condor_ce_history
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_history "$@"
diff --git a/src/condor_ce_hold b/src/condor_ce_hold
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_hold "$@"
diff --git a/src/condor_ce_job_router_info b/src/condor_ce_job_router_info
@@ -7,7 +7,6 @@ missing_tool()
 }
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 CONDOR_BIN_DIR=$(/usr/bin/dirname $(/usr/bin/which condor_version 2> /dev/null ) 2> /dev/null ) 
 if [ -z "$CONDOR_BIN_DIR" ]; then
     missing_tool

diff --git a/src/condor_ce_off b/src/condor_ce_off
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_off "$@"
diff --git a/src/condor_ce_on b/src/condor_ce_on
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_on "$@"
diff --git a/src/condor_ce_ping b/src/condor_ce_ping
@@ -1,7 +1,6 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 
 exec condor_ping "$@"
 
diff --git a/src/condor_ce_q b/src/condor_ce_q
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_q "$@"
diff --git a/src/condor_ce_qedit b/src/condor_ce_qedit
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_qedit "$@"
diff --git a/src/condor_ce_reconfig b/src/condor_ce_reconfig
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_reconfig "$@"
diff --git a/src/condor_ce_release b/src/condor_ce_release
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_release "$@"
diff --git a/src/condor_ce_reschedule b/src/condor_ce_reschedule
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_reschedule "$@"
diff --git a/src/condor_ce_restart b/src/condor_ce_restart
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_restart "$@"
diff --git a/src/condor_ce_rm b/src/condor_ce_rm
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_rm "$@"
diff --git a/src/condor_ce_router_q b/src/condor_ce_router_q
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_router_q -S "$@"
diff --git a/src/condor_ce_run b/src/condor_ce_run
@@ -234,7 +234,7 @@ def main():
     opts, args = parse_opts()
     if opts.remote:
         os.environ.setdefault("CONDOR_CONFIG", "/etc/condor-ce/condor_config")
-        os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
+        os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')
 
     if len(args) < 2:
         print("Usage: condor_ce_run <hostname> <command> [arg1] [arg2] [...]")

diff --git a/src/condor_ce_status b/src/condor_ce_status
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_status "$@"
diff --git a/src/condor_ce_store_cred b/src/condor_ce_store_cred
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_store_cred "$@"
diff --git a/src/condor_ce_submit b/src/condor_ce_submit
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_submit "$@"
diff --git a/src/condor_ce_trace b/src/condor_ce_trace
@@ -332,7 +332,7 @@ def main():
         raise ce.CondorRunException('ERROR: Could not find CE schedd at %s.\n' % job_info['schedd_name'] + \
                                     'Verify that the Scheduler daemon is up with `condor_ce_status -any`.')
 
-    os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,GSI,FS')
+    os.environ.setdefault('_condor_SEC_CLIENT_AUTHENTICATION_METHODS', 'SCITOKENS,SSL,FS')
     check_authz(coll_ad, schedd_ad)
     try:
         job_info.update(ce.generate_job_files())

diff --git a/src/condor_ce_transform_ads b/src/condor_ce_transform_ads
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_transform_ads "$@"
diff --git a/src/condor_ce_upgrade_check b/src/condor_ce_upgrade_check
@@ -1,5 +1,4 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 exec condor_upgrade_check -ce "$@"
diff --git a/src/condor_ce_version b/src/condor_ce_version
@@ -1,7 +1,6 @@
 #!/bin/sh
 
 . /usr/share/condor-ce/condor_ce_env_bootstrap
-export GSI_AUTHZ_CONF=/dev/null
 
 echo "\$HTCondorCEVersion: $(condor_ce_config_val HTCondorCEVersion | tr -d \") \$"
 exec condor_version "$@"