Reduce calls to vault for token weakening...

[marcmengel]

Currently, when we write a weakened token into our submit file, it is causing condor_vault_storer to fetch and upload a new weakened token
from the vault for every launch. We should instead remember that we have done this recently for a given weakened token scope and credd,
and turn off calling condor_vault_storer for later launches to the same credd.

The easiest may be the following:

• if we perform a successful submission, we leave a file in /tmp or $HOME/.cache/jobsub_lite or some such indicating the oauth_handle and credd that we successfully submitted to to remember that condor_vault_storer uploaded a vault token for us for this weakened credential
• when about to submit, if the oauth handle + credd file (above) from a previous launch is in our cache area, and is less than a week old, we set _condor_SEC_CREDENTIAL_STORER=/bin/true and don't even run condor_vault_storer in our submit.

[shreyb]

@DrDaveD , @marcmengel , and I talked about this today. We decided that the best design for this would be to have a flag and corresponding environment variable that would implement the logic as stated above.

So, for example, if I pass this flag to jobsub_submit, it would write/check the cache file to see if it was a week old (maybe we need to make that six days), and if it is, we would NOT set _condor_SEC_CREDENTIAL_STORER to /bin/true. If the file is newer than that, then as Marc said above, we would set the environment variable.

This should cover both the managed tokens case that a lot of our production users would fall into, but also allow users to set up their own external vault-token renewing scripts if they really wanted to, and not have jobsub_submit call condor_vault_storer every time.