Difference between revisions of "How To Configure Identities For DILIGENT Services"

From Gcube Wiki
Jump to: navigation, search
Line 1: Line 1:
 +
This page contains useful information for DILIGENT administrators about how to provides deployed services with a valid identity to operates in the DILIGENT infrastructure.
 +
 
==Delegate credentials to MyProxy==
 
==Delegate credentials to MyProxy==
  
Line 16: Line 18:
 
==Set-up credentials a renewal task==
 
==Set-up credentials a renewal task==
  
Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to your service. You can do this with the following command (all on the same line):
+
Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to a service. You can do this with the following command (all on the same line):
  
 
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
 
  java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
Line 33: Line 35:
 
  -out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
 
  -out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
  
Then your credentials will be periodically delegated to your service.
+
Then your credentials will be periodically delegated to a service.
 
+
==Associate user with roles==
+
 
+
Now you have to deal with administrative issues of authorization. Usually these steps are performed by DILIGENT users in charge to manage authorization in DILIGENT (those with ''VOManagers'' and ''ResourceManagers'' roles) At the moment you can perform following steps thorugh a Command Line User Interface.
+
 
+
In order to be able to access the service you have to assign logical operations (defined in [/twiki/bin/view/DILIGENT/SecuritySessionBudapest#Create_the_VO_Handler_configurat this] step) to DILIGENT roles. Roles must be defined both in VOMS and the DILIGENT authorization service by VO Managers. Logical operations need to be defined in DILIGENT authorization services and granted to VO by Resource managers. Following steps allows you to perform these settings.
+
 
+
==Create a VOMS and DILIGENT role==
+
 
+
To add the role to the VOMS installation please refers to [https://edms.cern.ch/file/572406/1/user-guide.pdf VOMS documentation].
+
 
+
To add a role to the authorization service, as ''DILIGENT-VO-Manager'' you can execute following command:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
-proxyFile:yourProxyFile \
+
-serviceUrl:<nowiki>http://...VOAdminstrationService</nowiki> \
+
-createRole \
+
-roleName:roleName \
+
-roleDesc:roleDescription \
+
-roleID:roleId \
+
 
+
You have to replace arguments with correct values, E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
-proxyFile:certs/roccettiProxy\
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki> \
+
-createRole \
+
-roleName:ARTE_VO_Manager \
+
-roleDesc:Role_to_manage_the_ARTE_VO \
+
-roleID:r0 \
+
 
+
This command creates the ''ARTE_VO_Manager'' role on the authorization service hosted by grids15.eng.it
+
 
+
In both cases you have to be entitled to perform the <code><nowiki>{http://www.diligentproject.org/namespaces/dvos/authorization}adminVO</nowiki></code> operation (usually the ''DILIGENT-VO-Manager'' role is entitled). In case you're not allowed please ask to VO managers to perform this operation for you.
+
 
+
[[Image:info.gif|info]] Please notice that the creation of a new role is not a mandatory step, you can also grant permission to access your service to an existing role.
+
 
+
==Create Logical Operations==
+
 
+
As ''ResourceManager'' you have to define logical operations (those used in the [[Media:YourServiceHandler.properties]] file) in the authorization service. You can do this through the command:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
-addOperation  \
+
-operationID:LogicalOperationID  \
+
-operationName:LogicalOperationName \
+
+
 
+
you have to replace arguments with correct values, E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/OperationAdministrationService  </nowiki>\
+
-addOperation  \
+
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}create-Rendering  \
+
-operationName:create-Rendering \
+
 
+
===Grant Operations to a VO===
+
 
+
As ''ResourceManager'' you have to grant logical operations to the DILIGENT VO in the authorization service. You can do this through the command:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
-grantOperation  \
+
-operationID:LogicalOperationID  \
+
-operationName:LogicalOperationName  \
+
-voID:VOIdentifier \
+
+
 
+
You have to replace arguments with correct values, E.g:
+
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/OperationAdministrationService</nowiki>  \
+
-grantOperation  \
+
-operationID:{<nowiki>http\://www.diligentproject.org/namespaces/demo/renderer}createResource</nowiki>  \
+
-operationName:createRenderingResource \
+
-voID:VO0 \
+
 
+
To get the list of VO identifiers you can use the command:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:yourProxyFile  \
+
-serviceUrl:<nowiki>http://...OperationAdministrationService</nowiki>  \
+
-listExistingVOs \
+
 
+
E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
+
-proxyFile:/home/roccetti/certs/asterixProxy  \   
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/OperationAdministrationService</nowiki>  \
+
-listExistingVOs
+
 
+
===Associate role with permissions===
+
 
+
As ''DILIGENT-VO-Manager'' you have to associate a role with logical operations you defined through following command:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy  \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki>  \
+
-grantPermission  \
+
-roleID:roleId  \
+
-operationID:LogicalOperationID
+
 
+
You have to replace arguments with proper values, E.g:
+
 
+
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
+
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
+
-serviceUrl:<nowiki>http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
+
/authorization/VOAdministrationService</nowiki>  \
+
-grantPermission  \
+
-roleID:r0  \
+
-operationID:{<nowiki>http\://www.diligentproject.org/namespaces/demo/renderer}createResource</nowiki>
+
 
+
===Create attributed proxy credentials===
+
 
+
Use this command to get new attributed proxy credentials containing a role:
+
 
+
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
+
-out yourProxyFile -voms voLocalName:yourGroup/Role=yourRole
+
 
+
E.g:
+
 
+
voms-proxy-init -cert /home/roccetti/roccettiCert.pem \
+
-key /home/roccetti/roccettiKey.pem \
+
-out /home/roccetti/proxyFile \
+
-voms test_diligent:/diligent/Role=DILIGENT-VO-Manager
+
 
+
Now try to invoke your service using this certificate.
+

Revision as of 20:43, 16 March 2007

This page contains useful information for DILIGENT administrators about how to provides deployed services with a valid identity to operates in the DILIGENT infrastructure.

Delegate credentials to MyProxy

Use following command to delegate credentials to MyProxy (all on the same line): 

java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
put -cert yourPublicCert.pem -key yourPrivateKey.pem

The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.

(E.g: 

java org.globus.tools.MyProxy -host grids02.eng.it \
-l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem

)

Set-up credentials a renewal task

Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to a service. You can do this with the following command (all on the same line): 

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
-proxyFile:yourProxyFile \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /credentialsRenewal/CredentialsRenewalService \
-addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \
-credentialsID:org/diligentproject/yourSubsystem/yourService \
-period:5 \
-delegationServiceURL:http://yourHostName:8080/wsrf/services/diligentproject/dvos\
 /delegation/DelegationService

To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command (on a sigle line): 

voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
-out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager

Then your credentials will be periodically delegated to a service.

Retrieved from "https://wiki.gcube-system.org/index.php?title=How_To_Configure_Identities_For_DILIGENT_Services&oldid=771"