Provided by: condor_23.9.6+dfsg-2.1_amd64 
NAME
condor_token_create - HTCondor Manual
given a password file, create an authentication token for the IDTOKENS authentication method
SYNOPSIS
condor_token_create -identity user@domain [-key keyid] [-authz authz ...] [-lifetime value] [-token
filename | -file filename] [-debug]
condor_token_create [-help ]
DESCRIPTION
condor_token_create will read an HTCondor password file inside the SEC_PASSWORD_DIRECTORY (by default,
this is the pool password) and use it to create an authentication token. The authentication token may be
subsequently used by clients to authenticate against a remote HTCondor server. Tokens allow fine-grained
authentication as individual HTCondor users as opposed to pool password, where anything in possession of
the pool password will authenticate as the same user.
An identity must be specified for the token; this will be the client's resulting identity at the remote
HTCondor server. If the -lifetime or (one or more) -authz options are specified, the token will contain
additional restrictions that limit what the client will be authorized to do. If an attacker is able to
access the token, they will be able to authenticate with the identity listed in the token (subject to the
restrictions above).
If successful, the resulting token will be sent to stdout. With the -token option, the token will
instead be written to the user's token directory (the value may not have any path information). With the
-file option, the token will be written to the given file (the value may be an arbitrary filename). If
written to SEC_TOKEN_SYSTEM_DIRECTORY (default /etc/condor/tokens.d), then the token can be used for
daemon-to-daemon authentication.
condor_token_create is only currently supported on Unix platforms.
OPTIONS
-authz authz
Adds a restriction to the token so it is only valid to be used for a given authorization level
(such as READ, WRITE, DAEMON, ADVERTISE_STARTD). If multiple authorizations are needed, then
-authz must be specified multiple times. If -authz is not specified, no authorization
restrictions are added and authorization will be solely based on the token's identity. NOTE
that -authz cannot be used to give an identity additional permissions at the remote host. If
the server's admin only permits the user READ authorization, then specifying -authz WRITE in a
token will not allow the user to perform writes.
-debug Causes debugging information to be sent to stderr, based on the value of the configuration
variable TOOL_DEBUG.
-help Display brief usage information and exit.
-identity user@domain
Set a specific client identity to be written into the token; a client will authenticate as this
identity with a remote server.
-key keyid
Specify a key file to use under the directory specified by the SEC_PASSWORD_DIRECTORY
configuration variable. The key name must match a file in the password directory; the file's
contents must be created with condor_store_cred and will be used to sign the resulting token.
If -key is not set, then the default pool password will be used.
-lifetime value
Specify the lifetime, in seconds, for the token to be valid (the token validity will start when
the token is signed). After the lifetime expires, the token cannot be used for authentication.
If not specified, the token will contain no lifetime restrictions.
-token filename
Specifies a filename, relative to the directory in the SEC_TOKEN_DIRECTORY configuration
variable (for example, on Linux this defaults to ~/.condor/tokens.d), where the resulting token
is stored. If not specified, the token will be sent to stdout.
EXAMPLES
To create a token for jane@cs.wisc.edu with no additional restrictions:
$ condor_token_create -identity jane@cs.wisc.edu
eyJhbGciOiJIUzI1NiIsImtpZCI6Il....bnu3NoO9BGM
To create a token for worker-node@cs.wisc.edu that may advertise either a condor_startd or a
condor_master:
$ condor_token_create -identity worker-node@cs.wisc.edu \
-authz ADVERTISE_STARTD \
-authz ADVERTISE_MASTER
eyJhbGciOiJIUzI1NiIsImtpZC.....8wkstyj_OnM0SHsOdw
To create a token for friend@cs.wisc.edu that is only valid for 10 minutes, and then to save it to
~/.condor/tokens.d/friend:
$ condor_token_create -identity friend@cs.wisc.edu -lifetime 600 -token friend
If the administrator would like to create a specific key for signing tokens, token_key, distinct from the
default pool password, they would first use condor_store_cred to create the key:
$ openssl rand -base64 32 | condor_store_cred -f /etc/condor/passwords.d/token_key
Note, in this case, we created a random 32 character key using SSL instead of providing a human-friendly
password.
Next, the administrator would run run condor_token_create:
$ condor_token_create -identity frida@cs.wisc.edu -key token_key
eyJhbGciOiJIUzI1NiIsImtpZCI6I.....eyJpYXQiOUzlN6QA
If the token_key file is deleted from the SEC_PASSWORD_DIRECTORY, then all of the tokens issued with that
key will be invalidated.
EXIT STATUS
condor_token_create will exit with a non-zero status value if it fails to read the password file, sign
the token, write the output, or experiences some other error. Otherwise, it will exit 0.
SEE ALSO
condor_store_cred(1), condor_token_fetch(1), condor_token_request(1), condor_token_list(1)
AUTHOR
Center for High Throughput Computing, University of Wisconsin-Madison
AUTHOR
HTCondor Team
COPYRIGHT
1990-2024, Center for High Throughput Computing, Computer Sciences Department, University of Wisconsin-
Madison, Madison, WI, US. Licensed under the Apache License, Version 2.0.
Jun 20, 2025 CONDOR_TOKEN_CREATE(1)