Open bbockelm opened 5 years ago
For the configs (condor and apache) there are now command line options to scitokens_credmon
to install them. Some tweaking is needed to make the install script more configurable/universal, and this should probably be done before tagging 1.0. But this means configs aren't haphazardly added to condor and apache by pip/rpm/etc. until the admin is ready to enable the credmon.
The install script drops two condor configs, one that configures the credd and credmon ("infrequently edited") and another that contains a commented out example for adding a Box OAuth client ("must be edited").
Going the install/config script route is pretty nasty. Very difficult to manage via puppet, for example.
Instead, you want to drop the configs in place and let the admin flip the boolean from disabled to enabled.
Would it be better to drop inert, commented-out configs in the right locations, and then have the script modify them in place? In addition to flipping everything on, it would be nice to have a single script to modify both condor and webserver configs simultaneously so that they are consistent (e.g. port number, web subdirectory).
Sure, that’s fine. Just be aware that admins will mostly care about what they need to put into Puppet. So, we want to make sure we explain the relevant config files.
We should really include proper packaging of the credmon itself in order to make this straightforward to install "alongside" a schedd.
Thoughts that come to mind:
.well-known
directory for OAuth2 auto-discovery.The end goal is that
yum install scitokens-credmon
- with very minimal config changes - should result in a working local issuer.