Difference between revisions of "How To Configure Identities For DILIGENT Services"

From Gcube Wiki
Jump to: navigation, search
 
(35 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
[[Category:TO BE REMOVED]]
 +
 +
This page contains useful information for gCube administrators about how to provide deployed services with a valid identity to operate in the gCube infrastructure.
 +
 
==Delegate credentials to MyProxy==
 
==Delegate credentials to MyProxy==
  
Use following command to delegate credentials to MyProxy (all on the same line):
+
Use the following command to delegate credentials to MyProxy:
  
 
  java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
 
  java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
  put -cert yourPublicCert.pem -key yourPrivateKey.pem
+
  put -t 168 -cert yourPublicCert.pem -key yourPrivateKey.pem
  
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.
+
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string that is not yet in use on MyProxy server, or an already existing account, providing the corresponding password.
 +
 
 +
The "-t" option allows you to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).
  
 
(E.g:
 
(E.g:
 
  java org.globus.tools.MyProxy -host grids02.eng.it \
 
  java org.globus.tools.MyProxy -host grids02.eng.it \
  -l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
+
  -l roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
  
 
)
 
)
  
==Set-up credentials a renewal task==
+
==Create a new Credentials Renewal account==
  
Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to your service. You can do this with the following command (all on the same line):
+
In order to enable the credentials delegation you have to create an account in the credentials renewal service that maps the one existing on MyProxy and contains the information to retrieve credentials.
  
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
+
This can be done through the command line interface provided by the org.diligentproject.dvos.credentials-renewal-api component.
-proxyFile:yourProxyFile \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/credentialsRenewal/CredentialsRenewalService </nowiki>\
+
-addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \
+
-credentialsID:org/diligentproject/yourSubsystem/yourService \
+
-period:5 \
+
-delegationServiceURL:<nowiki>http://yourHostName:8080/wsrf/services/diligentproject/dvos\
+
/delegation/DelegationService</nowiki>
+
  
To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command (on a sigle line):
+
To use this command line interface you need to include dvos.credentials-renewal-api.jar, dvos.credentials-renewal-stubs.jar, and java-WS-core libraries in your classpath.
  
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
+
To create a new account corresponding to a valid MyProxy account you can use the command:
-out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
+
  
Then your credentials will be periodically delegated to your service.
+
<code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...</code>
  
==Associate user with roles==
+
The following options are required by the command:
 +
* -username : The username of the corresponding account on MyProxy
 +
* -password : The password of the corresponding account on MyProxy
  
Now you have to deal with administrative issues of authorization. Usually these steps are performed by DILIGENT users in charge to manage authorization in DILIGENT (those with ''VOManagers'' and ''ResourceManagers'' roles) At the moment you can perform following steps thorugh a Command Line User Interface.
+
The command prints out the id of the account created on the Credentials Renewal Service
  
In order to be able to access the service you have to assign logical operations (defined in [/twiki/bin/view/DILIGENT/SecuritySessionBudapest#Create_the_VO_Handler_configurat this] step) to DILIGENT roles. Roles must be defined both in VOMS and the DILIGENT authorization service by VO Managers. Logical operations need to be defined in DILIGENT authorization services and granted to VO by Resource managers. Following steps allows you to perform these settings.
+
(E.g:
 +
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
 +
-host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file -username yourMyProxyUsername -password yourMyProxyPassword
 +
)
  
==Create a VOMS and DILIGENT role==
+
[[Image:Info.gif]] ''The <code>-help</code> option can be used to obtain the exact command synopsys.''
  
To add the role to the VOMS installation please refers to [https://edms.cern.ch/file/572406/1/user-guide.pdf VOMS documentation].
 
  
To add a role to the authorization service, as ''DILIGENT-VO-Manager'' you can execute following command:
+
Then you have to add a context for your account, contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:
  
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
* voName : The name of the VO where credentials can be used, your credentials will be used only for services in this VOMS VO.
-proxyFile:yourProxyFile \
+
* groupName : The group name where credentials can be used (the group name is hierarchical, and match also with subgroups of the group itself. If you specify /diligent/ARTE your credentials can be used for all RI of DLs in the ARTE community.)
-serviceUrl:<nowiki>http://...VOAdminstrationService</nowiki> \
+
* serviceName : Your credentials will be delegated only to RI with this service name
-createRole \
+
* serviceClass : Your credentials will be used only to RI belonging to this class
-roleName:roleName \
+
-roleDesc:roleDescription \
+
-roleID:roleId \
+
  
You have to replace arguments with correct values, E.g:
+
To define a new context for your account you can use following command:
  
  java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
  <code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext...</code>
-proxyFile:certs/roccettiProxy\
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki> \
+
-createRole \
+
-roleName:ARTE_VO_Manager \
+
-roleDesc:Role_to_manage_the_ARTE_VO \
+
-roleID:r0 \
+
  
This command creates the ''ARTE_VO_Manager'' role on the authorization service hosted by grids15.eng.it
+
This command requires the account id obtained in the previous step, and the values for the context to set.
  
In both cases you have to be entitled to perform the <code><nowiki>{http://www.diligentproject.org/namespaces/dvos/authorization}adminVO</nowiki></code> operation (usually the ''DILIGENT-VO-Manager'' role is entitled). In case you're not allowed please ask to VO managers to perform this operation for you.
+
(E.g:
 +
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext \
 +
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
 +
-serviceClass index -serviceName diligentproject/index/IndexService
 +
)
  
[[Image:info.gif|info]] Please notice that the creation of a new role is not a mandatory step, you can also grant permission to access your service to an existing role.
+
==Set-up a credentials renewal task==
  
==Create Logical Operations==
+
Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command:
  
As ''ResourceManager'' you have to define logical operations (those used in the [[Media:YourServiceHandler.properties]] file) in the authorization service. You can do this through the command:
+
<code>java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask...</code>
  
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the delegationID where they will be dispatched (that by default is the service name), the set of roles to be added and the lifetime of delegated credentials (period). This lifetime should be set within the maximum lifetime of proxies that can be retrieved from MyProxy (see above)
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
-addOperation  \
+
-operationID:LogicalOperationID  \
+
-operationName:LogicalOperationName \
+
   
+
  
you have to replace arguments with correct values, E.g:
+
If the command returns properly credentials have been dispatched to the delegation service specified in the options.
  
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
(E.g:
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
  -accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
/authorization/OperationAdministrationService  </nowiki>\
+
  -serviceClass index -serviceName diligentproject/index/IndexService \
-addOperation  \
+
  -delegationID diligentproject/index/IndexService -delegationServiceURL \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}create-Rendering  \
+
  <nowiki>http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService</nowiki> -roles \
-operationName:create-Rendering \
+
  basic,searcher,indexer -period 10
 
+
)
===Grant Operations to a VO===
+
 
+
As ''ResourceManager'' you have to grant logical operations to the DILIGENT VO in the authorization service. You can do this through the command:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
-grantOperation  \
+
-operationID:LogicalOperationID  \
+
-operationName:LogicalOperationName  \
+
-voID:VOIdentifier \
+
+
 
+
You have to replace arguments with correct values, E.g:
+
+
  java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
  -serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/OperationAdministrationService</nowiki>  \
+
-grantOperation  \
+
-operationID:{<nowiki>http\://www.diligentproject.org/namespaces/demo/renderer}createResource</nowiki>  \
+
-operationName:createRenderingResource \
+
-voID:VO0 \
+
 
+
To get the list of VO identifiers you can use the command:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
  -listExistingVOs \
+
 
+
E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:/home/roccetti/certs/asterixProxy  \  
+
  -serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/OperationAdministrationService</nowiki>  \
+
-listExistingVOs
+
 
+
===Associate role with permissions===
+
 
+
As ''DILIGENT-VO-Manager'' you have to associate a role with logical operations you defined through following command:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
  -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy  \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki> \
+
-grantPermission  \
+
  -roleID:roleId  \
+
-operationID:LogicalOperationID
+
 
+
You have to replace arguments with proper values, E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki>  \
+
-grantPermission  \
+
-roleID:r0  \
+
-operationID:{<nowiki>http\://www.diligentproject.org/namespaces/demo/renderer}createResource</nowiki>
+
 
+
===Create attributed proxy credentials===
+
 
+
Use this command to get new attributed proxy credentials containing a role:
+
 
+
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
+
-out yourProxyFile -voms voLocalName:yourGroup/Role=yourRole
+
 
+
E.g:
+
 
+
voms-proxy-init -cert /home/roccetti/roccettiCert.pem \
+
-key /home/roccetti/roccettiKey.pem \
+
-out /home/roccetti/proxyFile \
+
-voms test_diligent:/diligent/Role=DILIGENT-VO-Manager
+
  
Now try to invoke your service using this certificate.
+
[[Category:Security]]

Latest revision as of 19:58, 6 July 2016


This page contains useful information for gCube administrators about how to provide deployed services with a valid identity to operate in the gCube infrastructure.

Delegate credentials to MyProxy

Use the following command to delegate credentials to MyProxy: 

java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
put -t 168 -cert yourPublicCert.pem -key yourPrivateKey.pem

The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string that is not yet in use on MyProxy server, or an already existing account, providing the corresponding password.

The "-t" option allows you to set the maximum lifetime (in hours) of generated proxies, the default is 12 hours. This setting should be set accordingly with the renewal task for the service (see below).

(E.g: 

java org.globus.tools.MyProxy -host grids02.eng.it \
-l roccetti put -t 168 -cert certs/roccettiCert.pem -key certs/roccettiKey.pem

)

Create a new Credentials Renewal account

In order to enable the credentials delegation you have to create an account in the credentials renewal service that maps the one existing on MyProxy and contains the information to retrieve credentials.

This can be done through the command line interface provided by the org.diligentproject.dvos.credentials-renewal-api component.

To use this command line interface you need to include dvos.credentials-renewal-api.jar, dvos.credentials-renewal-stubs.jar, and java-WS-core libraries in your classpath.

To create a new account corresponding to a valid MyProxy account you can use the command: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount...

The following options are required by the command:

  • -username : The username of the corresponding account on MyProxy
  • -password : The password of the corresponding account on MyProxy

The command prints out the id of the account created on the Credentials Renewal Service

(E.g: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -createMyProxyAccount \
-host credentialsRenewalHost -port credentialsRenewalPort -proxy your_proxy_file -username yourMyProxyUsername -password yourMyProxyPassword

)

Info.gif The -help option can be used to obtain the exact command synopsys.


Then you have to add a context for your account, contexts are a way to limit the use of your credentials in the infrastructure. A context is composed by:

  • voName : The name of the VO where credentials can be used, your credentials will be used only for services in this VOMS VO.
  • groupName : The group name where credentials can be used (the group name is hierarchical, and match also with subgroups of the group itself. If you specify /diligent/ARTE your credentials can be used for all RI of DLs in the ARTE community.)
  • serviceName : Your credentials will be delegated only to RI with this service name
  • serviceClass : Your credentials will be used only to RI belonging to this class

To define a new context for your account you can use following command: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext...

This command requires the account id obtained in the previous step, and the values for the context to set.

(E.g: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addContext \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService

)

Set-up a credentials renewal task

Now you have to instruct the CredentialsRenewal service to periodically get selected credentials from MyProxy and delegate it to a service. You can do this with the following command: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask...

In the options you have to specify the context where credentials will be used, the delegation service where they must be forwarded, the delegationID where they will be dispatched (that by default is the service name), the set of roles to be added and the lifetime of delegated credentials (period). This lifetime should be set within the maximum lifetime of proxies that can be retrieved from MyProxy (see above)

If the command returns properly credentials have been dispatched to the delegation service specified in the options.

(E.g: 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI -addTask \
-accountID 34e0acc4-a67d-41fa-ad55-d261383b0e65 -voName diligent -groupName /diligent/ARTE/DL1 \
-serviceClass index -serviceName diligentproject/index/IndexService \
-delegationID diligentproject/index/IndexService -delegationServiceURL \
http://grids16.eng.it:8081/wsrf/services/diligentproject/dvos/delegation/DelegationService -roles \
basic,searcher,indexer -period 10

)

Retrieved from "https://wiki.gcube-system.org/index.php?title=How_To_Configure_Identities_For_DILIGENT_Services&oldid=25275"