Hello all,
We are trying to use RFT with VOMS PDP and PIP instead of grid-map.
As said in the mail by Rachana, there has to be change in the
security-config.xml of 2 web-services, namely ReliableFileTransferService
and DelegationService.
Also Grid FTP server has to understand the VOMS credential. For that can we
use the LCAS-LCMAPS framework?
We have been successful in trying pre-webservices of GT4
(gridFTP/pre-WSGRAM) with VOMS credential using LCAS-LCMAPS which has a gt4
interface. And with that globus grid-map is not used. Instead, LCAS-LCMAPS
have their own configuration files which map the VOMS FQAN to a unix local
account.
In EGEE, pre-webservices do use VOMS credential. But is RFT also configured
to use VOMS credential?
In other words, has anyone tried similar thing, ie. using VOMS credential
for both the WS-container and the pre-web services in a single grid service
like RFT?
Any suggestion?
Regards,
Kakoli
-----Original Message-----
From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED]
Sent: Friday, September 12, 2008 6:24 PM
To: 'Kakoli Sen'; gt-user@globus.org
Cc: [EMAIL PROTECTED]
Subject: RE: [gt-user] Using VOMS interceptors for Globus services like
RFT, GRAM etc.
Two other pieces are Delegation Service and GridFTP server. They default
to gridmap authorization and in your case, they might be triggered. For
delegation service, you can modify the security descriptor like you have for
the other WS* services.
For GridFTP, you will need C callouts that use VOMS credentials or
equivalent of the VOMS PDP - I haven't tried this, but PRIMA callouts might
help with the VOMS pieces. This was the first hit on a search:
http://computing.fnal.gov/docs/products/voprivilege/prima/prima.html. Maybe
someone from the GridFTP team has other suggestions.
Rachana
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kakoli Sen
Sent: Friday, September 12, 2008 6:34 AM
To: gt-user@globus.org
Cc: [EMAIL PROTECTED]
Subject: [gt-user] Using VOMS interceptors for Globus services like RFT,
GRAM etc.
Hello all,
We are using VOMS credential to access Globus services like RFT,
GRAM etc.
For this, we have installed VOMS server, VOMS client. And the VOMS
interceptor is deployed in the Globus container.
After this, we were able to succesfully invoke our own service
'DeployService' whose security config file and wsdd file has been attached.
Here grid-map authz. has been disabled and authZ. value points to VOMS
PDP and PIP. So the global grid-map need not have an entry for the client DN
through which the service is invoked.
Then we are trying RFT service similarly.(Only
ReliableFileTransferService is configured to use VOMS PDP and PIP and
grid-map authZ. is disabled).
But here, the transfer happens successfully only if the global
grid-mapfile has an entry for the client DN.
If the entry is absent it gives the following error:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soapenv:Body><soapenv
:Fault><faultcode>soapenv:Server.userException</faultcode><faultstring>org.g
lobus.wsrf.impl.security.authorization.exceptions.AuthorizationException:
"/C=IN/O=C-DAC KP
Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to
use operation:
{http://www.globus.org/08/2004/delegationService}requestSecurityToken on
this service</faultstring><detail><ns1:stackTrace
xmlns:ns1="http://xml.apache.org/axis/";>org.globus.wsrf.impl.security.author
ization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP
Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to
use operation:
{http://www.globus.org/08/2004/delegationService}requestSecurityToken on
this service
at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:301)
at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:272)
at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:235)
at
org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(Auth
orizationHandler.java:177)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:
32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248)
at
org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
at
org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
at
org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
</ns1:stackTrace><ns2:hostname
xmlns:ns2="http://xml.apache.org/axis/";>sukeshini.cdacb.ernet.in</ns2:hostna
me></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
My guess is that RFT may actually be invoking other services which may
be referring to the original grid--map.
Then my query is : What other services are actually involved?
Has anyone configured Globus RFTservice to use PDP and PIP instead of
gridmap authZ.?
Thanks & Regards,
Kakoli
________________________________________________________________________
KAKOLI SEN Ph:91-80-25341909/215(Extn. 309)
C-DAC Knowledge Park E-mail:
#1, Old Madras Road [EMAIL PROTECTED]
Bangalore - 560 038, INDIA [EMAIL PROTECTED]
________________________________________________________________________
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
