How To Configure Identities For gCube Services
As described in the gCube Security Model, delegation is an important feature in distributed multi-domain systems. To manage the delegation of user's credentials to Running Instances, the Credentials Renewal and Delegation services have been created as part of the Virtual Organisation Management subsystem.
This page describes the steps required to enable the delegation of user's credentials to a gCube Running Instance. These steps configure the infrastructure to enable the delegation, but the delegation process itself will take place when a new Running Instance will be actually deployed.
Delegate your credentials to MyProxy
The first step to perform is to delegate your credentials to the MyProxy credentials repository. The following command is available to do this:
java org.globus.tools.MyProxy -host <myproxy_hostname> -l <yourMyProxyUsername> \ put -t <delegated_credentials_lifetime(in hours)> -cert <yourPublicCert.pem> -key <yourPrivateKey.pem>
The command will ask you for the password to decrypt your private key, and for the password to protect your myProxyAccount. As yourMyProxyUsername you can use an account already existing in the MyProxy repository (providing you have the corresponding password), or a new string that is not yet in used as MyProxy account.
The "-t" option allows to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).
Example:
java org.globus.tools.MyProxy -host grids02.eng.it \ -l paolo.roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
Create a new Credentials Renewal Account
In order to enable the credentials delegation you have to create an account in the credentials renewal service that refers to the one just created in MyProxy, and containing the information to retrieve your delegated credentials. This can be done through the command line interface provided by the Credentials-Renewal-API component.
To use the following command you need to include in your classpath the java-WS-core libraries, as well as the following ones:
- org.gcube.vomanagement.credentials-renewal-api.jar
- org.gcube.vomanagement.credentials-renewal-stubs.jar
To create a new account corresponding to a valid MyProxy account use the command:
java org.gcube.vomanagement.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...
The following options are required:
- username : The username of the corresponding account on MyProxy (see previous step)
- password : The password of the corresponding account on MyProxy (see previous step)
- host : The host name where the Credentials Renewal service is running
- port : The port number where the Credentials Renewal service is listening
- proxy : A proxy of credentials you have delegated to MyProxy service in the previous step
The command prints out the id of the account created on the Credentials Renewal Service as output information. This id must be saved as it is required in the next step.
Example:
java org.gcube.vomanagement.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \ -host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file \ -username yourMyProxyUsername -password yourMyProxyPassword
The -help
option can be used to obtain the exact synopsis of the previous command
Configure the Credentials Renewal Account
After creation, you have to add a context for your account. Contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:
- voName : The name of the infrastructure where credentials can be used, your credentials will be used only for the infrastructure you specify.
- groupName : The scope where credentials can be used (the scope is hierarchical, and will match also with sub-scopes of the scope itself. Thisn means If you specify /gCube/SampleVO/SampleVRE your credentials can be used for RIs of the SampleVRE in the SampleVO community)
- serviceName : Your credentials will be delegated only to RIs with this service name
- serviceClass : Your credentials will be used only to RIs belonging to this class
To define a new context for your account you can use following command:
java org.gcube.vomanagement.credentialRenewal.ui.CredentialRenewalUI -addContext...
This command requires the account id obtained in the previous step, and the values for the context to set.
E.g:
java org.gcube.vomanagement.credentialRenewal.ui.CredentialRenewalUI -addContext \ -accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName gCube -groupName /gCube/SampleVO/SampleVRE \ -serviceClass index -serviceName gcube/index/IndexService
The -help
option can be used to obtain the exact synopsis of the previous command
When a new service matching the specified serviceName and serviceClass will be deployed in a matching scope, the infrastructure will automatically delegate your credentials to this service, to enable it to operate in the infrastructure on your behalf.