How To Configure Identities For DILIGENT Services
Contents
Delegate credentials to MyProxy
Use following command to delegate credentials to MyProxy (all on the same line):
java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \ put -cert yourPublicCert.pem -key yourPrivateKey.pem
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.
(E.g:
java org.globus.tools.MyProxy -host grids02.eng.it \ -l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
)
Set-up credentials a renewal task
Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to your service. You can do this with the following command (all on the same line):
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /credentialsRenewal/CredentialsRenewalService \ -addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \ -credentialsID:org/diligentproject/yourSubsystem/yourService \ -period:5 \ -delegationServiceURL:http://yourHostName:8080/wsrf/services/diligentproject/dvos\ /delegation/DelegationService
To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command (on a sigle line):
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \ -out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
Then your credentials will be periodically delegated to your service.
Associate user with roles
Now you have to deal with administrative issues of authorization. Usually these steps are performed by DILIGENT users in charge to manage authorization in DILIGENT (those with VOManagers and ResourceManagers roles) At the moment you can perform following steps thorugh a Command Line User Interface.
In order to be able to access the service you have to assign logical operations (defined in [/twiki/bin/view/DILIGENT/SecuritySessionBudapest#Create_the_VO_Handler_configurat this] step) to DILIGENT roles. Roles must be defined both in VOMS and the DILIGENT authorization service by VO Managers. Logical operations need to be defined in DILIGENT authorization services and granted to VO by Resource managers. Following steps allows you to perform these settings.
Create a VOMS and DILIGENT role
To add the role to the VOMS installation please refers to VOMS documentation.
To add a role to the authorization service, as DILIGENT-VO-Manager you can execute following command:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...VOAdminstrationService \ -createRole \ -roleName:roleName \ -roleDesc:roleDescription \ -roleID:roleId \
You have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:certs/roccettiProxy\ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/VOAdministrationService \ -createRole \ -roleName:ARTE_VO_Manager \ -roleDesc:Role_to_manage_the_ARTE_VO \ -roleID:r0 \
This command creates the ARTE_VO_Manager role on the authorization service hosted by grids15.eng.it
In both cases you have to be entitled to perform the {http://www.diligentproject.org/namespaces/dvos/authorization}adminVO operation (usually the DILIGENT-VO-Manager role is entitled). In case you're not allowed please ask to VO managers to perform this operation for you.
Please notice that the creation of a new role is not a mandatory step, you can also grant permission to access your service to an existing role.
Create Logical Operations
As ResourceManager you have to define logical operations (those used in the Media:YourServiceHandler.properties file) in the authorization service. You can do this through the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -addOperation \ -operationID:LogicalOperationID \ -operationName:LogicalOperationName \
you have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
/authorization/OperationAdministrationService \
-addOperation \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}create-Rendering \
-operationName:create-Rendering \
Grant Operations to a VO
As ResourceManager you have to grant logical operations to the DILIGENT VO in the authorization service. You can do this through the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -grantOperation \ -operationID:LogicalOperationID \ -operationName:LogicalOperationName \ -voID:VOIdentifier \
You have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
/authorization/OperationAdministrationService \
-grantOperation \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource \
-operationName:createRenderingResource \
-voID:VO0 \
To get the list of VO identifiers you can use the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -listExistingVOs \
E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:/home/roccetti/certs/asterixProxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/OperationAdministrationService \ -listExistingVOs
Associate role with permissions
As DILIGENT-VO-Manager you have to associate a role with logical operations you defined through following command:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/VOAdministrationService \ -grantPermission \ -roleID:roleId \ -operationID:LogicalOperationID
You have to replace arguments with proper values, E.g:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
/authorization/VOAdministrationService \
-grantPermission \
-roleID:r0 \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource
Create attributed proxy credentials
Use this command to get new attributed proxy credentials containing a role:
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \ -out yourProxyFile -voms voLocalName:yourGroup/Role=yourRole
E.g:
voms-proxy-init -cert /home/roccetti/roccettiCert.pem \ -key /home/roccetti/roccettiKey.pem \ -out /home/roccetti/proxyFile \ -voms test_diligent:/diligent/Role=DILIGENT-VO-Manager
Now try to invoke your service using this certificate.
