Difference between revisions of "How To Configure Identities For DILIGENT Services"
Line 71: | Line 71: | ||
If the command returns properly credentials have been dispatched to the delegation service specified in the options. | If the command returns properly credentials have been dispatched to the delegation service specified in the options. | ||
+ | |||
+ | (E.g: | ||
+ | java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \ | ||
+ | -accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \ | ||
+ | -serviceClass index -serviceName diligentproject/index/IndexService -delegationID testID -delegationServiceURL http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService -roles basic,searcher,indexer -period 10 | ||
+ | ) | ||
[[Category:Security]] | [[Category:Security]] |
Revision as of 18:00, 9 August 2007
This page contains useful information for DILIGENT administrators about how to provides deployed services with a valid identity to operates in the DILIGENT infrastructure.
Delegate credentials to MyProxy
Use following command to delegate credentials to MyProxy:
java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \ put -cert yourPublicCert.pem -key yourPrivateKey.pem
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.
(E.g:
java org.globus.tools.MyProxy -host grids02.eng.it \ -l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
)
Create a new Credentials Renewal account
In order to enable the credentials delegation you have to create an account in the credentials renewal service that maps the one existing on MyProxy and contains the information to retrieve credentials.
This can be done through the command line interface provided by the org.diligentproject.dvos.credentials-renewal-api component.
To use this command line interface you need to include dvos.credentials-renewal-api.jar and dvos.credentials-renewal-stubs.jar in your classpath.
To create a new account corresponding to a valid MyProxy account you can use the command:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...
Following options are required by the command:
- -username : The username of the corresponding account on MyProxy
- -password : The password of the corresponding account on MyProxy
The commands prints out the id of the account created on the Credentials Renewal Service
(E.g:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \ -username yourMyProxyUsername -password yourMyProxyPassword
)
The -help
option can be used to obtain the exact command synopsys.
Then you have to add a context for your account, contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:
- voName : The name of the VO where credentials can be used, your credentials will be used only for services in this VOMS VO.
- groupName : The group name where credentials can be used (the group name is hierarchical, and match also with subgroups of the group itself. If you specify /diligent/ARTE your credentials can be used for all RI of DLs in the ARTE community.)
- serviceName : Your credentials will be delegated only to RI with this service name
- serviceClass : Your credentials will be used only to RI belonging to this class
To define a new context for your account you can use following command:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext...
This command requires the account id obtained in the previous step, and the values for the context to set.
(E.g:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext \ -accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \ -serviceClass index -serviceName diligentproject/index/IndexService
)
Set-up a credentials renewal task
Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -adTask...
In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the service name where they will be dispatched, the set of roles to be added and the lifetime of delegated credentials (period).
If the command returns properly credentials have been dispatched to the delegation service specified in the options.
(E.g:
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \ -accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \ -serviceClass index -serviceName diligentproject/index/IndexService -delegationID testID -delegationServiceURL http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService -roles basic,searcher,indexer -period 10
)