Difference between revisions of "How To Configure Identities For DILIGENT Services"

From Gcube Wiki
Jump to: navigation, search
(Create a new Credentials Renewal account)
 
(25 intermediate revisions by 5 users not shown)
Line 1: Line 1:
This page contains useful information for DILIGENT administrators about how to provides deployed services with a valid identity to operates in the DILIGENT infrastructure.
+
[[Category:TO BE REMOVED]]
 +
 
 +
This page contains useful information for gCube administrators about how to provide deployed services with a valid identity to operate in the gCube infrastructure.
  
 
==Delegate credentials to MyProxy==
 
==Delegate credentials to MyProxy==
  
Use following command to delegate credentials to MyProxy:
+
Use the following command to delegate credentials to MyProxy:
  
 
  java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
 
  java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
  put -cert yourPublicCert.pem -key yourPrivateKey.pem
+
  put -t 168 -cert yourPublicCert.pem -key yourPrivateKey.pem
 +
 
 +
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string that is not yet in use on MyProxy server, or an already existing account, providing the corresponding password.
  
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.
+
The "-t" option allows you to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).
  
 
(E.g:
 
(E.g:
 
  java org.globus.tools.MyProxy -host grids02.eng.it \
 
  java org.globus.tools.MyProxy -host grids02.eng.it \
  -l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
+
  -l roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
  
 
)
 
)
 
  
 
==Create a new Credentials Renewal account==
 
==Create a new Credentials Renewal account==
Line 23: Line 26:
 
This can be done through the command line interface provided by the  org.diligentproject.dvos.credentials-renewal-api component.
 
This can be done through the command line interface provided by the  org.diligentproject.dvos.credentials-renewal-api component.
  
To use this command line interface you need to include dvos.credentials-renewal-api.jar and dvos.credentials-renewal-stubs.jar in your classpath.
+
To use this command line interface you need to include dvos.credentials-renewal-api.jar, dvos.credentials-renewal-stubs.jar, and java-WS-core libraries in your classpath.
  
 
To create a new account corresponding to a valid MyProxy account you can use the command:
 
To create a new account corresponding to a valid MyProxy account you can use the command:
Line 29: Line 32:
 
  <code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...</code>
 
  <code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...</code>
  
Following options are required by the command:
+
The following options are required by the command:
 
* -username : The username of the corresponding account on MyProxy
 
* -username : The username of the corresponding account on MyProxy
 
* -password : The password of the corresponding account on MyProxy
 
* -password : The password of the corresponding account on MyProxy
  
The commands prints out the id of the account created on the Credentials Renewal Service
+
The command prints out the id of the account created on the Credentials Renewal Service
  
 
(E.g:
 
(E.g:
 
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
 
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
  -username yourMyProxyUsername -password yourMyProxyPassword
+
  -host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file -username yourMyProxyUsername -password yourMyProxyPassword
 
)
 
)
  
Line 66: Line 69:
 
Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:
 
Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:
  
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
+
  <code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask...</code>
-proxyFile:yourProxyFile \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/credentialsRenewal/CredentialsRenewalService </nowiki>\
+
-addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \
+
-credentialsID:org/diligentproject/yourSubsystem/yourService \
+
-period:5 \
+
-delegationServiceURL:<nowiki>http://yourHostName:8080/wsrf/services/diligentproject/dvos\
+
/delegation/DelegationService</nowiki>
+
  
To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command:
+
In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the delegationID where they will be dispatched (that by default is the service name), the set of roles to be added and the lifetime of delegated credentials (period). This lifetime should be set within the maximum lifetime of proxies that can be retrieved from MyProxy (see  above)
  
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
+
If the command returns properly credentials have been dispatched to the delegation service specified in the options.
-out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
+
 
+
Then selected credentials will be periodically delegated to a service.
+
  
 +
(E.g:
 +
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \
 +
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
 +
-serviceClass index -serviceName diligentproject/index/IndexService \
 +
-delegationID diligentproject/index/IndexService -delegationServiceURL \
 +
<nowiki>http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService</nowiki> -roles \
 +
basic,searcher,indexer -period 10
 +
)
  
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 18:58, 6 July 2016


This page contains useful information for gCube administrators about how to provide deployed services with a valid identity to operate in the gCube infrastructure.

Delegate credentials to MyProxy

Use the following command to delegate credentials to MyProxy:

java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
put -t 168 -cert yourPublicCert.pem -key yourPrivateKey.pem

The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string that is not yet in use on MyProxy server, or an already existing account, providing the corresponding password.

The "-t" option allows you to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).

(E.g:

java org.globus.tools.MyProxy -host grids02.eng.it \
-l roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem

)

Create a new Credentials Renewal account

In order to enable the credentials delegation you have to create an account in the credentials renewal service that maps the one existing on MyProxy and contains the information to retrieve credentials.

This can be done through the command line interface provided by the org.diligentproject.dvos.credentials-renewal-api component.

To use this command line interface you need to include dvos.credentials-renewal-api.jar, dvos.credentials-renewal-stubs.jar, and java-WS-core libraries in your classpath.

To create a new account corresponding to a valid MyProxy account you can use the command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...

The following options are required by the command:

  • -username : The username of the corresponding account on MyProxy
  • -password : The password of the corresponding account on MyProxy

The command prints out the id of the account created on the Credentials Renewal Service

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
-host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file -username yourMyProxyUsername -password yourMyProxyPassword

)

Info.gif The -help option can be used to obtain the exact command synopsys.


Then you have to add a context for your account, contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:

  • voName : The name of the VO where credentials can be used, your credentials will be used only for services in this VOMS VO.
  • groupName : The group name where credentials can be used (the group name is hierarchical, and match also with subgroups of the group itself. If you specify /diligent/ARTE your credentials can be used for all RI of DLs in the ARTE community.)
  • serviceName : Your credentials will be delegated only to RI with this service name
  • serviceClass : Your credentials will be used only to RI belonging to this class

To define a new context for your account you can use following command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext...

This command requires the account id obtained in the previous step, and the values for the context to set.

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService

)

Set-up a credentials renewal task

Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask...

In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the delegationID where they will be dispatched (that by default is the service name), the set of roles to be added and the lifetime of delegated credentials (period). This lifetime should be set within the maximum lifetime of proxies that can be retrieved from MyProxy (see above)

If the command returns properly credentials have been dispatched to the delegation service specified in the options.

(E.g:

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService \
-delegationID diligentproject/index/IndexService -delegationServiceURL \
http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService -roles \
basic,searcher,indexer -period 10

)