Delegation of Credentials Using MyProxy
From EGEE-see WIki
This Wiki page is a part of SEE-GRID Gridification Guide. It is contributed by Belgrade University Computer Centre.
Contents |
Introduction
MyProxy service allows a grid user to delegate a host, service, or another user to use her/his proxy certificate. This feature is not frequently used in gLite middleware, which employs MyProxy just in credentials renewal of long-running jobs within WMS and to provide credentials to FTS jobs. However, proxy certificate delegation is a feature that is crucial when implementing Web portals and applications that use grid on behalf of several grid users.
Limitations and Hints for Web Applications
gLite and LCG unfortunately use the old Globus GSI that does not allow programmatic passing of a GSI security context without writing proxy files to the disk. Furthermore, the proxy file is located using process owner ID or X509_USER_PROXY and GRID_PROXY_FILE environment variables. This effectively requires creation of a separate process for each used proxy, even if using the most common commands and APIs, as WMProxy, GFAL, and LCG_util.
The described limitation prohibits more performance-effective multi-threaded environments that are used by most Web applications. More about this can be seen in this Savannah ticket. However, it is still possible to use proxy delegation in Web applications using either spawning of subprocesses or by serializing the usage of several proxies. The latter can be archived by implementing a Web application that retrieves MyProxy certificates and processing requests from end-users, and communicates them to a back-end process that actually handles user requests.
Configuring MyProxy Server
In order to allow a host, service, or user to retrieve credentials, MyProxy server must be properly configured. This is done by setting authorized_retrievers in myproxy-server.config file. But since YAIM does not manage this parameter, and MyProxy configuration is automatically generated when MyProxy service is started, the best approach is to customize /etc/init.d/myproxy to set authorized_retrievers to "*" or to DNs of supported retrieving hosts, services or users. The value "*" allows any client, including anonymous clients (i.e. clients without existing credentials), to retrieve credentials with a valid MyProxy pass phrase. This is recommended setting, as it gives users the flexibility to set their own policies on their credentials.
Command-Line Example
A proxy credential that allows anonymous retrievers, retrievers with mathing CN or mathing DN is created using one of following commands:
$ myproxy-init -d -a $ myproxy-init -d -r "<retriever common name (CN) >" $ myproxy-init -d -x -r "<retriever full distinguished name (DN)>"
The MyProxy server being used is defined through MYPROXY_SERVER environment variable that can be overridden using "-s hostname" option. In all three above cases, DN of end-entity credentials of the invoking user is used as the MyProxy username for the generated proxy credential. For example:
$ myproxy-init -d -r "host/grid02.rcub.bg.ac.yu" Your identity: /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic Enter GRID pass phrase for this identity: Creating proxy .................................. ........................................... Done Proxy Verify OK Your proxy is valid until: Thu Nov 29 16:57:33 2007 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic now exists on myproxy.phy.bg.ac.yu.
This proxy can be inspected using:
$ myproxy-info -d username: /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic owner: /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic retrieval policy: */CN=host/grid02.rcub.bg.ac.yu timeleft: 167:58:43 (7.0 days)
After this, another user allowed by the proxy owner and MyProxy server can retrieve the generated credential. The identity of this user is based on a valid proxy or user certificate. This user must know DN of the user who generated the proxy as well as specified MyProxy pass phrase:
# myproxy-get-delegation -l \ "/DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic" -o MyProxyDelegateCerr Enter MyProxy pass phrase: A proxy has been received for user /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic in MyProxyDelegateCerr # cat MyProxyDelegateCerr -----BEGIN CERTIFICATE----- MIICJDCCAc6gAwIBAgICAaEwDQYJKoZIhvcNAQEEBQAwgYcxEzARBgoJkiaJk/Is ZAEZEwNPUkcxGDAWBgoJkiaJk/IsZAEZEwhTRUUtR1JJRDEPMA0GA1UEChMGUGVv ...
If "-o file" option is not used, the retrieved proxy credential will be stored in the default location (/tmp/x509up_u<uid>). Since MyProxy v2.0 (more precisely, since MyProxy v0.6.5/GPT v1.17), myproxy-get-delegation is renamed to myproxy-logon. However, myproxy-logon command is not available in gLite 3.
If MyProxy server is not configured to allow the retrieval by the current user, or the generated proxy does not allow it, myproxy-get-delegation will return an error like:
$ myproxy-get-delegation -l \ "/DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic" Enter MyProxy pass phrase: ERROR from server: "/DC=ORG/DC=SEE-GRID/O=Hosts/O=UOB/CN=host/grid02.rcub.bg.ac.yu" not authorized by server's authorized_retriever policy Failed to receive a proxy. $ myproxy-get-delegation -l \ "/DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic" Enter MyProxy pass phrase: ERROR from server: "<anonymous>" not authorized by credential's retriever policy Failed to receive a proxy.
Finally, already existing proxy certificate can be revoked by using:
$ myproxy-destroy -d Default MyProxy credential for user /DC=ORG/DC=SEE-GRID/O=People/O=UOB/CN=Branko Marovic was successfully removed.
