How To Configure Identities For DILIGENT Services

From Gcube Wiki
Jump to: navigation, search


This page contains useful information for gCube administrators about how to provide deployed services with a valid identity to operate in the gCube infrastructure.

Delegate credentials to MyProxy

Use the following command to delegate credentials to MyProxy:

java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
put -t 168 -cert yourPublicCert.pem -key yourPrivateKey.pem

The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string that is not yet in use on MyProxy server, or an already existing account, providing the corresponding password.

The "-t" option allows you to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).

(E.g:

java org.globus.tools.MyProxy -host grids02.eng.it \
-l roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem

)

Create a new Credentials Renewal account

In order to enable the credentials delegation you have to create an account in the credentials renewal service that maps the one existing on MyProxy and contains the information to retrieve credentials.

This can be done through the command line interface provided by the org.diligentproject.dvos.credentials-renewal-api component.

To use this command line interface you need to include dvos.credentials-renewal-api.jar, dvos.credentials-renewal-stubs.jar, and java-WS-core libraries in your classpath.

To create a new account corresponding to a valid MyProxy account you can use the command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...

The following options are required by the command:

  • -username : The username of the corresponding account on MyProxy
  • -password : The password of the corresponding account on MyProxy

The command prints out the id of the account created on the Credentials Renewal Service

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
-host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file -username yourMyProxyUsername -password yourMyProxyPassword

)

Info.gif The -help option can be used to obtain the exact command synopsys.


Then you have to add a context for your account, contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:

  • voName : The name of the VO where credentials can be used, your credentials will be used only for services in this VOMS VO.
  • groupName : The group name where credentials can be used (the group name is hierarchical, and match also with subgroups of the group itself. If you specify /diligent/ARTE your credentials can be used for all RI of DLs in the ARTE community.)
  • serviceName : Your credentials will be delegated only to RI with this service name
  • serviceClass : Your credentials will be used only to RI belonging to this class

To define a new context for your account you can use following command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext...

This command requires the account id obtained in the previous step, and the values for the context to set.

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService

)

Set-up a credentials renewal task

Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask...

In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the delegationID where they will be dispatched (that by default is the service name), the set of roles to be added and the lifetime of delegated credentials (period). This lifetime should be set within the maximum lifetime of proxies that can be retrieved from MyProxy (see above)

If the command returns properly credentials have been dispatched to the delegation service specified in the options.

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService \
-delegationID diligentproject/index/IndexService -delegationServiceURL \
http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService -roles \
basic,searcher,indexer -period 10

)