managed-tokens

module
v0.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2026 License: Apache-2.0

README

Go Report Card Go build and test PkgGoDev

managed-tokens

Managed Tokens service for Condor/Hashicorp Vault/OpenBao Service Token Distribution

The Managed Tokens Service stores and distributes HashiCorp Vault/OpenBao Service tokens for stakeholders to use in their automated grid computing activities. Specifically, the Managed Tokens service enables stakeholders to automate grid activities such as job submission and file transfers by ensuring that the valid credentials (Vault Tokens) always exist on submit nodes, ready to be used.

Executables

The Managed Tokens Service consists of two executables:

  • token-push: Executable that uses the service keytabs to generate vault tokens, store them on HTCondor credd machines, and push the vault tokens to the experiment interactive nodes. By default, this runs every hour.
  • refresh-uids-from-ferry: Executable that queries FERRY (the credentials and grid mapping registry service at Fermilab) to pull down the applicable UIDs for the configured UNIX accounts. By default, this runs daily each morning.

The first time the operator of a Managed Tokens service deployment runs token-push for a given service (experiment-role combination), the operator needs to pass the -r/--run-onboarding flag, with -s <SERVICE> also specified. This will enable the operator to authenticate with the token issuer and generate the refresh token that will eventually be used to generate new bearer tokens and vault tokens.

The token-push executable will copy the vault token to the destination nodes at two locations:

  • /tmp/vt_u<UID>
  • /tmp/vt_u<UID>-<service>

Notifications and Stakeholder-Specific Emails

The Managed Tokens Service, under the default mode, will send errors and pertinent warnings to three places:

  • Stakeholder-specific alerts will go to the recipients specified in the emails entry for a stakeholder in the configuration file.
  • All alerts will get sent to configured admin_email (logging level ERROR or above).
  • All alerts will get sent to the configured slack channel

Notifications can be disabled globally or by stakeholder via the configuration file, or globally with the --dont-notify/--disable-notifications flag passed to the command line.

Monitoring

Logs

The logfiles for the Managed Tokens service are, by default, located in the /var/log/managed-tokens directory (configurable). Each executable has its own log and debug log, and these are rotated periodically by default if installed via RPM.

Metrics

These are the current prometheus metrics that can be pushed from the Managed Tokens executables to a prometheus pushgateway configured at the prometheus.host entry in the configuration file. These are:

General executable-level metrics
  • managed_tokens_stage_duration_seconds: Per executable, per stage (setup, processing, cleanup). How long each stage took to run.
refresh-uids-from-ferry-specific metrics
  • managed_tokens_last_ferry_refresh: Timestamp of when refresh-uids-from-ferry executable last got information from FERRY.
  • managed_tokens_ferry_request_duration_seconds: The amount of time it took in seconds to make a request to FERRY and receive the response
  • managed_tokens_ferry_request_error_count: The number of requests to FERRY that failed
token-push-specific metrics
  • managed_tokens_failed_services_push_count: Count of how many services registered a failure to push a vault token to a node in the current run of token-push. Basically, a failure count.
Internal library metrics
Kerberos metrics
  • managed_tokens_kinit_duration_seconds: Duration (in seconds) for a kerberos ticket to be created from the service principal
  • managed_tokens_failed_kinit_count: The number of times the Managed Tokens Service failed to create a kerberos ticket from the service principal
Vault Token Store metrics
  • managed_tokens_last_token_store_timestamp: Timestamp of the last successful store of a service vault token in a condor credd by the Managed Tokens Service
  • managed_tokens_token_store_duration_seconds: Duration (in seconds) for a vault token to get stored in a condor credd
  • managed_tokens_failed_vault_token_store_count: The number of times the Managed Tokens Service failed to store a vault token in a condor credd
Node-pinging metrics
  • managed_tokens_ping_duration_seconds: Duration (in seconds) to ping a node
  • managed_tokens_failed_ping_count: The number of times the Managed Tokens Service failed to ping a node
Pushing tokens metrics
  • managed_tokens_last_token_push_timestamp: Timestamp of when token-push last pushed a particular service vault token to a particular node.
  • managed_tokens_token_push_duration_seconds: Duration (in seconds) for a vault token to get pushed to a node
  • managed_tokens_failed_token_push_count: The number of times the Managed Tokens service failed to push a token to an interactive node
Notification-sending metrics
  • managed_tokens_admin_error_email_last_sent_timestamp: The last time managed tokens service attempted to send an admin error notification
  • managed_tokens_admin_error_email_send_duration_seconds: Time in seconds it took to successfully send an admin error email
  • managed_tokens_service_error_email_last_sent_timestamp: Last time managed tokens service attempted to send an service error notification
  • managed_tokens_service_error_email_send_duration_seconds: Time in seconds it took to successfully send a service error email
Error-count metrics (mirrors internal database state)
  • managed_tokens_current_setup_error_count: Count of how many consecutive setup errors there have been for a single service. Will reset to 0 after an error notification is sent
  • managed_tokens_current_push_error_count: Count of how many consecutive push errors there have been for a single service/node combination. Will reset to 0 after an error notification is sent

Tracing

The Managed Tokens service, starting with version v0.14, includes OpenTelemetry tracing in both the executables and the libraries. The provided OpenTelemetry-compatible trace provider uses a Jaeger for trace collection. In the future, the plan is to migrate this trace provider to the standard OpenTelemetry trace provider.

The tracing endpoint can be configured in the configuration file, under the tracing.url entry.

Directories

Path Synopsis
cmd
refresh-uids-from-ferry command
cmdUtils provides utilities that are meant to be used by multiple executables that use the managed tokens libraries
 cmdUtils provides utilities that are meant to be used by multiple executables that use the managed tokens libraries
token-push command
cmdUtils provides utilities that are meant to be used by multiple executables that use the managed tokens libraries
 cmdUtils provides utilities that are meant to be used by multiple executables that use the managed tokens libraries
internal
contextStore
db
Package db provides the FERRYUIDDatabase struct which provides an interface to a SQLite3 database that is used by the managed tokens utilities to store username-UID mappings, as provided from FERRY.
 Package db provides the FERRYUIDDatabase struct which provides an interface to a SQLite3 database that is used by the managed tokens utilities to store username-UID mappings, as provided from FERRY.
environment
Package environment contains types and functions to assist in passing around environments to be used in commands and wrapping commands in those environments
 Package environment contains types and functions to assist in passing around environments to be used in commands and wrapping commands in those environments
fileCopier
Package fileCopier contains interfaces and functions to assist in copying files via ssh.
 Package fileCopier contains interfaces and functions to assist in copying files via ssh.
kerberos
Package kerberos contains utilities to obtain kerberos tickets, query the kerberos cache, and switch caches in the case of multiple kerberos caches
 Package kerberos contains utilities to obtain kerberos tickets, query the kerberos cache, and switch caches in the case of multiple kerberos caches
metrics
Package metrics contains a Prometheus metrics registry that importing code can use to register Prometheus metrics.
 Package metrics contains a Prometheus metrics registry that importing code can use to register Prometheus metrics.
notifications
ping
Package ping provides utilities to ping a remote host
 Package ping provides utilities to ping a remote host
service
Package service provides the types and related methods to declare, manage, and configure OAuth services (as defined by the HTCondor project).
 Package service provides the types and related methods to declare, manage, and configure OAuth services (as defined by the HTCondor project).
testUtils
tracing
utils
Package utils provides general purpose utilities for the various other packages.
 Package utils provides general purpose utilities for the various other packages.
vaultToken
worker
Package worker provides worker functions and types that allow callers to abstract away the lower-level details of the various operations needed for the Managed Tokens utilities.
 Package worker provides worker functions and types that allow callers to abstract away the lower-level details of the various operations needed for the Managed Tokens utilities.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.