Web Authentication and Authorization using MyProxy APIs and Grid Portals
From EGEE-see WIki
In this article you can find basic methods how you can authenticate on Grid infrastructure using X509 certificate and myproxy management system. Authentication can be done on grid web user interfaces and grid portals.
Contents |
MyProxy
The MyProxy project began at NCSA in 2000 to provide an online credential repository and it’s distributed as part of many grid portals and the Globus Toolkit.
MyProxy is an online credential management system for the Grid. It is used to delegate a user’s proxy credential to Grid user interface or portals, which can be authenticated to access Grid resources on the user’s behalf. Storing your Grid credentials in a MyProxy repository allows you to retrieve a proxy credential whenever and wherever you need one. You can also allow trusted servers to renew your proxy credentials using MyProxy, so, for example, long-running tasks do not fail due to an expired proxy credential.
Steps for myproxy initialization and delegation are :
1. Execute myproxy_init command on the computer where your Grid credential is located to delegate a proxy credential on a MyProxy server. The delegated proxy credential normally has a lifetime of one week. The communication between the computer and the MyProxy server is securely managed by TLS. You need to supply a username and pass phrase for the identity of your Grid credential. Then you need to supply another different MyProxy pass phrase to secure the delegated proxy credential on the MyProxy server.
2. Log into the Grid portal with the same username and MyProxy pass phrase used for delegating the proxy credential.
3. The portal uses myproxy_get_delegation command to retrieve a delegated proxy credential from the MyProxy server using your username and MyProxy pass phrase.
4. The portal accesses Grid resources with the proxy credential on your behalf.
5. The operation of logging out of the portal will delete your delegated proxy credential on the portal. If you forget to log off, then the proxy credential will expire at the lifetime specified.
MyProxy toolkits
Myproxy can be downloaded form address http://grid.ncsa.uiuc.edu/myproxy/download.html.
Toolkits which support MyProxy are :
• Globus Toolkit 4.0 releases include MyProxy
• Virtual Data Toolkit releases include MyProxy
• NSF Middleware Initiative releases include MyProxy
• Commodity Grid (CoG) Kits include MyProxy Java clients
• pyGlobus includes MyProxy Python client bindings
• Gridport 2 includes MyProxy Perl client bindings
• Python/OpenSSL MyProxy client (doesn't require Globus Toolkit)
• Java Web Start MyProxy Upload Tool
• GSI-SSHTerm includes MyProxy support
• GridShib CA integrates Shibboleth authentication with the MyProxy CA
• MyProxy OGSA CredentialManager Service (experimental, for GT3)
MyProxy APIs
Integrating MyProxy clients into your application allows you to authenticate and obtain credentials for your users. The following MyProxy APIs are available for Java, Python and Perl:
• Java API (Java CoG), example: MyProxy.java
• Java MyProxyLogon API (source)
• Python API (pyGlobus)
• Perl API (MyProxy GET only)
MyProxy Java client
A new simple MyProxy Java client implementation is available. The MyProxyLogon client provides functionality similar to the myproxy-logon command and the Java CoG MyProxy.get() method, including management of trust roots in ~/.globus/certificates. There is also a simple MyProxyLogon GUI client available via Java Web Start. Javadoc, source code, and download links are at: http://myproxy.ncsa.uiuc.edu/MyProxyLogon The MyProxyLogon API has minimal dependencies on other Java libraries. It uses the standard javax.net.ssl API instead of PureTLS. The only external dependencies are on a small number of BouncyCastle utility classes, resulting in a MyProxyLogon.jar (which includes the needed BouncyCastle classes) that is only 110k in size.
MyProxy and Grid Portals
MyProxy provides a solution for delegating credentials to Grid portals to allow the portal to authenticate to Grid services on the user's behalf. A Grid portal is a web server that provides an interface to Grid services, allowing users to submit compute jobs, transfer files, and query Grid information services from a standard web browser.
The following software is available for integrating MyProxy with Grid portals and other web applications:
• The MyProxy JAAS Module supports MyProxy authentication and authorization via the JAAS framework.
• A MyProxy Apache module is available.
• MyProxy supports integration with the Pubcookie web single sign-on system.
• The Open Grid Computing Environment (OGCE) collaboratory provides software for building grid computing portals using MyProxy. See the OGCE MyProxyAuthModule.java for a good example of using MyProxy for portal authentication.
• The GridSphere credential manager portlet supports MyProxy. See the Single Sign-on section of the GridSphere Grid Portlets Administrator's Guide.
• PURSE: a Portal-based User Registration Service, combines the Simple CA with MyProxy.
• GridPort also interfaces with MyProxy.
• The Extreme! Computing Lab's Proxy Manager Xportlet interfaces with MyProxy.
Each specific Grid portal toolkit should provide its own documentation and support for working with MyProxy. However, this page includes some general information about using MyProxy with Grid portals.
Web authentication on Gridsphere portal example
The instructions for installing the OGCE Grid portlets or Gridsphere portlets into GridSphere are given below :
1. Download Apache Maven 1.0.2 and Apache Ant 1.6.x.
2. Download GridSphere 2.0.x and Tomcat 5.0.x or Tomcat 5.5.x.
3. If you use Tomcat 5.5.x, you need to also get the Java 1.4 compatibility patch.
4. If you use Tomcat 5.5.x, you need to copy the Tomcat 5.0.x ant.jar and ant-launcher.jar to 5.5.x's common/lib directory.
5. Set CATALINA_HOME and ANT_HOME environment variables.
6. Run "ant install" in the GridSphere source directory.
7. Edit the tomcat-users.xml to add the gridsphere user and manager role.
Start Tomcat and point your browser to http://localhost:8080/gridsphere. Next, shutdown Tomcat and install the portlets into GridSphere.
1. Download and unpack the OGCE release 2 or Gridsphere portlets
2. Edit the project.properties file
3. Run "maven gridSphereDeployAll".
When installation is complete, (re)start your Tomcat server and point your browser at http://localhost:8080/gridsphere. This assumes of course that you run Tomcat on localhost using port 8080 (the Tomcat default). If not, substitute the appropriate machine IP address or DNS name.
After that you have to configure users, groups and can add portlets to user view.
User have to log into portal, choose OGCE or GRID tab and athentificate any action using portlets [job submission, data management …].
