From 1f22ee4ac265904340263bfcc83727d53eb0e0fb Mon Sep 17 00:00:00 2001
From: aldbr <aldbr@outlook.com>
Date: Fri, 7 Mar 2025 18:22:51 +0100
Subject: [PATCH] fix: htcondor and delegated proxies

---
 .../Resources/Computing/HTCondorCEComputingElement.py     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py b/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py
index de8a0b3292f..444dced95d5 100644
--- a/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py
+++ b/src/DIRAC/Resources/Computing/HTCondorCEComputingElement.py
@@ -172,7 +172,9 @@ def __writeSub(self, executable, location, processors, pilotStamps, tokenFile=No
 
         executable = os.path.join(self.workingDirectory, executable)
 
-        useCredentials = ""
+        # For now, we still need to include a proxy in the submit file
+        # HTCondor extracts VOMS attribute from it for the sites
+        useCredentials = "use_x509userproxy = true"
         # If tokenFile is present, then we transfer it to the worker node
         if tokenFile:
             useCredentials += textwrap.dedent(
@@ -274,6 +276,10 @@ def _executeCondorCommand(self, cmd, keepTokenFile=False):
             htcEnv = {
                 "_CONDOR_SEC_CLIENT_AUTHENTICATION_METHODS": "SCITOKENS",
                 "_CONDOR_SCITOKENS_FILE": self.tokenFile.name,
+                # This options is needed because we are still passing the proxy in the JDL (see use_x509userproxy)
+                # In condor v24.4, there is a bug preventing us from delegating the proxy, so we have to set
+                # it to false: https://opensciencegrid.atlassian.net/browse/HTCONDOR-2904
+                "_CONDOR_DELEGATE_JOB_GSI_CREDENTIALS": "false",
             }
             if cas := getCAsLocation():
                 htcEnv["_CONDOR_AUTH_SSL_CLIENT_CADIR"] = cas