On Wed, Mar 03, 2021 at 09:50:30AM -0800, Michael Thomas wrote: > Or you just expect online and not worry about any of this. No, sorry. I've explained. We'll have to disagree. > I'm not even sure why you'd want to use certs in your use case. You're just > reinventing Kerberos. Because we have a principal for a user, and also a trusted thing that wants to impersonate them (in order to run the user's batch jobs) but without the user having to delegate a credential to them. So we issue that thing a client certificate (that the user never sees) that can be used to acquire a TGT on behalf of the user. This isn't remotely like reinventing Kerberos. Nico --
