Difference between revisions of "VOMS-API"

From Gcube Wiki
Jump to: navigation, search
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== The VOMS-API library ==
 
== The VOMS-API library ==
 
The library offers a number of facilities for interacting with VOMS server.  
 
The library offers a number of facilities for interacting with VOMS server.  
[[https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/How_to_use_VOMS_api_library Read More]]
+
[[https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/How_to_use_VOMS_api_library Installation procedure]]
  
=== Sample usage ===
+
Last version of this library allows to programmatically manage a VO in a VOMS server installation from both a generic Java client and a gcube service.
The VOMS-API SA ships also a voms-api-test-suite where it is possible to use two sample classes:
+
* VOMSTest
+
* CredTest
+
  
These two classes are, respectively, a usage example of ''VOMSAdminImpl'' class and ''CredentialsManagerImpl''.  
+
VOMS-API library allows to invoke 3 different VOMS wsdl-based web interfaces:
 +
* glite-security-voms-admin-2.0.2.wsdl
 +
* glite-security-voms-acl-2.0.2.wsdl
 +
* glite-security-voms-attributes-2.0.2.wsdl
  
====VOMSAdminImpl====
+
== VOMS Admin ==
This class provides a subset of VOMS operations. We can manage VOMS users, groups and roles. Some operations are overloaded in order to simplify management of the users with a proxy certificate provided by gCube SimpleCA.  
+
VOMS-Admin interface is in charge for the administrative actions. Through this you can add/remove user, create/delete groups ecc.
 +
The VOMS-API library offers two different VOMSAdmin implementations. These two different implementation are basically useful to invoke VOMS admin interface from a gContainer of from a standard java client, VOMSADminGT4 or VOMSAdminImpl, respectively.
  
This utility can be instantiate in three different ways: by default VOMSAdminImpl will use host credentials contained in ''/etc/grid-security/hostpubliccert.pem'' and ''/etc/grid-security/hostprivatekey.pem''.
+
[[Image:VOMS-API.png]]
 +
 
 +
These implementations wrap two different portTypes (standard and extende) to access these functionalities:
 +
* the standard portType implements all the VOMS-Admin operations provided by glite-security-voms-admin-2.0.2.wsdl.
 +
* the extended portType offers a number of customized gCube operations built on top of the standard one. Some operations are overloaded in order to simplify management of the users with a proxy certificate provided by gCube SimpleCA.
 +
 
 +
 
 +
Both classes (VOMSAdminImpl and VOMSAdminGT4)  can be instantiate in three different ways: by default they will use host credentials contained in ''/etc/grid-security/hostpubliccert.pem'' and ''/etc/grid-security/hostprivatekey.pem''.
  
 
Alternatively a user can specify his own credentials:
 
Alternatively a user can specify his own credentials:
Line 19: Line 27:
 
* a user can specify CLIENT creds by indicating a CLIENT_PROXY, that's a proxy certificate of the pem cerficates.
 
* a user can specify CLIENT creds by indicating a CLIENT_PROXY, that's a proxy certificate of the pem cerficates.
  
If the user choose to instantiate a ''VOMSAdminImpl'' object specifying client credentials, this will overwrite the host certificate set by default.
+
as described at [[https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/How_to_use_VOMS_api_library#VOMS_API_properties_file vomsAPI.properties example]]
  
====Usage Examples====
+
=== VOMS-Admin sample usage ===
 +
These two classes are, respectively, a usage example of ''VOMSAdminImpl'' class and ''CredentialsManagerImpl''.
 +
 
 +
====Usage Examples from inside a gContainer ====
  
 
<source lang="java5">
 
<source lang="java5">
 +
User user = new User();
 +
user.setDN(dn);
 +
user.setCA(ca);
 +
user.setCN(username);
 +
user.setMail(email);
 +
VOMSAdminGT4 vomsAdminGT4 = new VOMSAdminGT4("/path/to/vomsAPI.properties");
  
//construct a new VOMSAdminImpl using the default settings.
+
// credentials
 +
((Stub) vomsAdminGT4)._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
 +
 +
// Authentication method
 +
((Stub) vomsAdminGT4)._setProperty(org.globus.wsrf.impl.security.authentication.Constants.GSI_TRANSPORT, org.globus.wsrf.impl.security.authentication.Constants.ENCRYPTION);
 +
// delegation
 +
((Stub) vomsAdminGT4)._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_NO_DELEG);
 +
// set Context lifetime
 +
((Stub) vomsAdminGT4)._setProperty(org.globus.wsrf.impl.security.authentication.Constants.CONTEXT_LIFETIME, 300);
  
// Lists VO name
+
try {
try {  
+
    // create a standard user in VOMS
    VOMSAdminImpl vomsAdmin = new VOMSAdminImpl();
+
    vomsAdminGT4.getPortType().createUser(user);
    System.out.println("VO: " + vomsAdmin.getVO());
+
 
} catch (Exception e) {
 
} catch (Exception e) {
    e.printStackTrace();
+
    throw e;
 
}
 
}
  
// Lists VOMS groups
+
try {
String[] groups = vomsAdmin.listGroups();
+
  // create a onLineCA user in VOMS
for (int i = 0; i < groups.length; i++) {
+
  vomsAdminGT4.getExtendedPortType().createOnlineCAUser(username, mail)
    System.out.println("\t" + groups[i]);
+
} catch (Exception e) {
}
+
  throw e;
...
+
}  
 +
</source>
 +
 
 +
====Usage Examples from a Java client ====
 +
 
 +
<source lang="java5">
 +
User user = new User();
 +
user.setDN(dn);
 +
user.setCA(ca);
 +
user.setCN(username);
 +
user.setMail(email);
 +
VOMSAdminImpl vomsAdmin = new VOMSAdminImpl("/path/to/vomsAPI.properties");
 +
 
 +
// create a standar user in VOMS
 +
System.out.println("Create user with username: " + userName + ", mail: " + mail);
 +
vomsAdmin.getPortType().createUser(user);
 +
 
 +
// create a onLineCA user in VOMS
 +
System.out.println("Create OnLineCA user with username: " + userName + ", mail: " + mail);
 +
vomsAdmin.getExtendedPortType().createOnlineCAUser(userName, mail);  
 +
</source>
 +
 
 +
== VOMS Attributes ==
 +
VOMS Attributes interface is in charge to manage VOMS Generic Attributes. Generic attributes (GAs) are (name, value) pairs that that can be assigned to VO users and that end up in the Attribute Certificate issued by VOMS. GAs extend the range of attributes that VOMS can issue besides Fully Qualified Attributes Names (FQAN), i.e., allow VOMS to issue any kind of VO membership information that can be expressed as (name, value) pairs. Such information can then be leveraged by Grid applications to take authorization decisions. For their nature, GAs are issued to VO users. VOMS however provides a way to quickly assign GAs to all the VO members that belong to a specific VOMS group or that are assigned a specific VOMS role within a group. For this reason, you find GA management in user, group and role management pages in VOMS Admin. This interface allows to assign GA to users, by firstly creating the corresponding Generic Attribute class. This Generic Attribute class is used to define the name and possibly a description for the GA.
 +
 
 +
=== VOMS-Attributes sample usage ===
 +
Here a sample usage of create, assign and list-user-attributes USER that lists the generic attributes defined for user USER.
 +
 
 +
<source lang="java5">
 +
VOMSAttributesAPI vomsAttributes = new VOMSAttributesAPI();     // it uses vomsAPI.properties configurations
 +
// Create attribute with name and description
 +
vomsAttributes.createAttributeClass(testName, testDescription);
 +
 
 +
// create a user
 +
VOMSAdminImpl vomsAdmin = new VOMSAdminImpl();
 +
User user = new User();
 +
user.setCN(userName);
 +
user.setDN(userName);
 +
user.setCA(userCA);
 +
user.setMail(mail);
 +
vomsAdmin.getExtendedPortType().createUser(userName, DN, userCA, mail);
 +
 
 +
//Set attribute for user
 +
vomsAttributes.setUserAttribute(user, attributeValue);
 +
 
 +
// List attributes for user
 +
AttributeValue[] userAttributeValues = vomsAttributes.listUserAttributes(user);
 
</source>
 
</source>
  
Line 51: Line 121:
  
 
//Retrieves ExtendedGSSCredential from MyProxy server with VOMS Attributes (roles, groups) attached
 
//Retrieves ExtendedGSSCredential from MyProxy server with VOMS Attributes (roles, groups) attached
    System.out.print("Retrieve Credentials:");
+
System.out.print("Retrieve Credentials from MyProxy with VOMS attributes:");
    ExtendedGSSCredential cred;
+
ExtendedGSSCredential cred;
    try {
+
try {
cred = manager.getCredentials(userName, pwd, groupName);
+
    cred = manager.getCredentials(userName, pwd, groupName);
if (cred != null) {
+
    if (cred != null) {
    byte[] data = cred.export(ExtendedGSSCredential.IMPEXP_OPAQUE);
+
  byte[] data = cred.export(ExtendedGSSCredential.IMPEXP_OPAQUE);
    File file = new File(proxyFile);
+
  File file = new File(proxyFile);
    file.createNewFile();
+
  file.createNewFile();
    FileOutputStream out = new FileOutputStream(proxyFile, false);
+
  FileOutputStream out = new FileOutputStream(proxyFile, false);
    out.write(data);
+
  out.write(data);
    out.close();
+
  out.close();
    System.out.println("Time needed to retrieve credentials " + (end - start) + " milliseconds.");
+
          System.out.println("Credentials for " + userName + " are correctly retrieved and stored in ");
    System.out.println();
+
          System.out.println("\t" + proxyFile + ".");
 
+
    }
    System.out.println("Credentials for " + userName + " are correctly retrieved and stored in ");
+
} catch (Exception e) {
    System.out.println("\t" + proxyFile + ".");
+
    e.printStackTrace();
}
+
}
    } catch (Exception e) {
+
e.printStackTrace();
+
    }
+
 
</source>
 
</source>

Latest revision as of 12:27, 5 June 2009

The VOMS-API library

The library offers a number of facilities for interacting with VOMS server. [Installation procedure]

Last version of this library allows to programmatically manage a VO in a VOMS server installation from both a generic Java client and a gcube service.

VOMS-API library allows to invoke 3 different VOMS wsdl-based web interfaces:

  • glite-security-voms-admin-2.0.2.wsdl
  • glite-security-voms-acl-2.0.2.wsdl
  • glite-security-voms-attributes-2.0.2.wsdl

VOMS Admin

VOMS-Admin interface is in charge for the administrative actions. Through this you can add/remove user, create/delete groups ecc. The VOMS-API library offers two different VOMSAdmin implementations. These two different implementation are basically useful to invoke VOMS admin interface from a gContainer of from a standard java client, VOMSADminGT4 or VOMSAdminImpl, respectively.

VOMS-API.png

These implementations wrap two different portTypes (standard and extende) to access these functionalities:

  • the standard portType implements all the VOMS-Admin operations provided by glite-security-voms-admin-2.0.2.wsdl.
  • the extended portType offers a number of customized gCube operations built on top of the standard one. Some operations are overloaded in order to simplify management of the users with a proxy certificate provided by gCube SimpleCA.


Both classes (VOMSAdminImpl and VOMSAdminGT4) can be instantiate in three different ways: by default they will use host credentials contained in /etc/grid-security/hostpubliccert.pem and /etc/grid-security/hostprivatekey.pem.

Alternatively a user can specify his own credentials:

  • a user can specify CLIENT creds by indicating the triple (CLIENT_CERT, CLIENT_KEY, CLIENT_PWD) or
  • a user can specify CLIENT creds by indicating a CLIENT_PROXY, that's a proxy certificate of the pem cerficates.

as described at [vomsAPI.properties example]

VOMS-Admin sample usage

These two classes are, respectively, a usage example of VOMSAdminImpl class and CredentialsManagerImpl.

Usage Examples from inside a gContainer

User user = new User();
user.setDN(dn);
user.setCA(ca);
user.setCN(username);
user.setMail(email);
VOMSAdminGT4 vomsAdminGT4 = new VOMSAdminGT4("/path/to/vomsAPI.properties");
 
// credentials
((Stub) vomsAdminGT4)._setProperty(GSIConstants.GSI_CREDENTIALS, credentials);
 
// Authentication method
((Stub) vomsAdminGT4)._setProperty(org.globus.wsrf.impl.security.authentication.Constants.GSI_TRANSPORT, org.globus.wsrf.impl.security.authentication.Constants.ENCRYPTION);
// delegation
((Stub) vomsAdminGT4)._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_NO_DELEG);
// set Context lifetime
((Stub) vomsAdminGT4)._setProperty(org.globus.wsrf.impl.security.authentication.Constants.CONTEXT_LIFETIME, 300);
 
try {
    // create a standard user in VOMS
    vomsAdminGT4.getPortType().createUser(user);
} catch (Exception e) {
    throw e;
}
 
try {
   // create a onLineCA user in VOMS
   vomsAdminGT4.getExtendedPortType().createOnlineCAUser(username, mail)
} catch (Exception e) {
   throw e;
}

Usage Examples from a Java client

User user = new User();
user.setDN(dn);
user.setCA(ca);
user.setCN(username);
user.setMail(email);
VOMSAdminImpl vomsAdmin = new VOMSAdminImpl("/path/to/vomsAPI.properties");
 
// create a standar user in VOMS
System.out.println("Create user with username: " + userName + ", mail: " + mail);
vomsAdmin.getPortType().createUser(user);	
 
// create a onLineCA user in VOMS
System.out.println("Create OnLineCA user with username: " + userName + ", mail: " + mail);
vomsAdmin.getExtendedPortType().createOnlineCAUser(userName, mail);

VOMS Attributes

VOMS Attributes interface is in charge to manage VOMS Generic Attributes. Generic attributes (GAs) are (name, value) pairs that that can be assigned to VO users and that end up in the Attribute Certificate issued by VOMS. GAs extend the range of attributes that VOMS can issue besides Fully Qualified Attributes Names (FQAN), i.e., allow VOMS to issue any kind of VO membership information that can be expressed as (name, value) pairs. Such information can then be leveraged by Grid applications to take authorization decisions. For their nature, GAs are issued to VO users. VOMS however provides a way to quickly assign GAs to all the VO members that belong to a specific VOMS group or that are assigned a specific VOMS role within a group. For this reason, you find GA management in user, group and role management pages in VOMS Admin. This interface allows to assign GA to users, by firstly creating the corresponding Generic Attribute class. This Generic Attribute class is used to define the name and possibly a description for the GA.

VOMS-Attributes sample usage

Here a sample usage of create, assign and list-user-attributes USER that lists the generic attributes defined for user USER.

VOMSAttributesAPI vomsAttributes = new VOMSAttributesAPI();      // it uses vomsAPI.properties configurations
// Create attribute with name and description
vomsAttributes.createAttributeClass(testName, testDescription);
 
// create a user
VOMSAdminImpl vomsAdmin = new VOMSAdminImpl();
User user = new User();
user.setCN(userName);
user.setDN(userName);
user.setCA(userCA);
user.setMail(mail);
vomsAdmin.getExtendedPortType().createUser(userName, DN, userCA, mail);
 
//Set attribute for user
vomsAttributes.setUserAttribute(user, attributeValue);
 
// List attributes for user
AttributeValue[] userAttributeValues = vomsAttributes.listUserAttributes(user);

CredentialsManagerImpl

This class provides a method to retrieve user's credentials. It manages communication with MyProxyCA server to generate simple credentials for the username provided and some operations are overloaded in order to simplify management of the users with a proxy certificate provided by gCube SimpleCA.

Usage Examples

//Retrieves ExtendedGSSCredential from MyProxy server with VOMS Attributes (roles, groups) attached
System.out.print("Retrieve Credentials from MyProxy with VOMS attributes:");
ExtendedGSSCredential cred;
try {
    cred = manager.getCredentials(userName, pwd, groupName);
    if (cred != null) {
	  byte[] data = cred.export(ExtendedGSSCredential.IMPEXP_OPAQUE);
	  File file = new File(proxyFile);
	  file.createNewFile();
	  FileOutputStream out = new FileOutputStream(proxyFile, false);
	  out.write(data);
	  out.close();
          System.out.println("Credentials for " + userName + " are correctly retrieved and stored in ");
          System.out.println("\t" + proxyFile + ".");
    }
} catch (Exception e) {
    e.printStackTrace();
}