Hello all, We are trying to use RFT with VOMS PDP and PIP instead of grid-map. As said in the mail by Rachana, there has to be change in the security-config.xml of 2 web-services, namely ReliableFileTransferService and DelegationService.
Also Grid FTP server has to understand the VOMS credential. For that can we use the LCAS-LCMAPS framework? We have been successful in trying pre-webservices of GT4 (gridFTP/pre-WSGRAM) with VOMS credential using LCAS-LCMAPS which has a gt4 interface. And with that globus grid-map is not used. Instead, LCAS-LCMAPS have their own configuration files which map the VOMS FQAN to a unix local account. In EGEE, pre-webservices do use VOMS credential. But is RFT also configured to use VOMS credential? In other words, has anyone tried similar thing, ie. using VOMS credential for both the WS-container and the pre-web services in a single grid service like RFT? Any suggestion? Regards, Kakoli -----Original Message----- From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2008 6:24 PM To: 'Kakoli Sen'; gt-user@globus.org Cc: [EMAIL PROTECTED] Subject: RE: [gt-user] Using VOMS interceptors for Globus services like RFT, GRAM etc. Two other pieces are Delegation Service and GridFTP server. They default to gridmap authorization and in your case, they might be triggered. For delegation service, you can modify the security descriptor like you have for the other WS* services. For GridFTP, you will need C callouts that use VOMS credentials or equivalent of the VOMS PDP - I haven't tried this, but PRIMA callouts might help with the VOMS pieces. This was the first hit on a search: http://computing.fnal.gov/docs/products/voprivilege/prima/prima.html. Maybe someone from the GridFTP team has other suggestions. Rachana ---------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kakoli Sen Sent: Friday, September 12, 2008 6:34 AM To: gt-user@globus.org Cc: [EMAIL PROTECTED] Subject: [gt-user] Using VOMS interceptors for Globus services like RFT, GRAM etc. Hello all, We are using VOMS credential to access Globus services like RFT, GRAM etc. For this, we have installed VOMS server, VOMS client. And the VOMS interceptor is deployed in the Globus container. After this, we were able to succesfully invoke our own service 'DeployService' whose security config file and wsdd file has been attached. Here grid-map authz. has been disabled and authZ. value points to VOMS PDP and PIP. So the global grid-map need not have an entry for the client DN through which the service is invoked. Then we are trying RFT service similarly.(Only ReliableFileTransferService is configured to use VOMS PDP and PIP and grid-map authZ. is disabled). But here, the transfer happens successfully only if the global grid-mapfile has an entry for the client DN. If the entry is absent it gives the following error: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><soapenv :Fault><faultcode>soapenv:Server.userException</faultcode><faultstring>org.g lobus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service</faultstring><detail><ns1:stackTrace xmlns:ns1="http://xml.apache.org/axis/">org.globus.wsrf.impl.security.author ization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:301) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:272) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:235) at org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(Auth orizationHandler.java:177) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664) at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382) at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) </ns1:stackTrace><ns2:hostname xmlns:ns2="http://xml.apache.org/axis/">sukeshini.cdacb.ernet.in</ns2:hostna me></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope> My guess is that RFT may actually be invoking other services which may be referring to the original grid--map. Then my query is : What other services are actually involved? Has anyone configured Globus RFTservice to use PDP and PIP instead of gridmap authZ.? Thanks & Regards, Kakoli ________________________________________________________________________ KAKOLI SEN Ph:91-80-25341909/215(Extn. 309) C-DAC Knowledge Park E-mail: #1, Old Madras Road [EMAIL PROTECTED] Bangalore - 560 038, INDIA [EMAIL PROTECTED] ________________________________________________________________________ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.