Like I explained in my previous email, you need to ensure the delegated credential is used when you invoke Gram Job. This can be done using run-as property, please look at my previous email. http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descript or.html#s-authzframe-secdesc-configRunas Rachana
_____ From: Salman Zubair Toor [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 2:52 AM To: Rachana Ananthakrishnan Cc: gt-user Subject: Re: [gt-user] Exception while delegating user credentials.... Hi Rachana Thanks for your answer. On Aug 8, 2007, at 4:59 PM, Rachana Ananthakrishnan wrote: I see that the DN in question is a host DN and I wouldn't expect you to map that in the gridmap. Sorry, missed that when I read the email before. Typically only the client DN, which is a user DN, is set in the gridmap. Looking at your logs, it seems like the client is accessing some service Foo, which in turn invokes "GramJob". Is that correct ? You seem to be delegating the credentials of service Foo to the delegation service. Yes I am using a service to invokes the GramJob. When the client calls service Foo, using the settings in your port type, you will have the client's delegated credentials at the end of the invocation. You should use that for all other operations, if you require that "GramJob" calls use the client's credential. To do that, in your service security descriptor, set GSI Secure conversation as the required method and run-as to be caller-identity. This will ensure that the delegated credentials will be set as the credentials associated with the thread and the subsequent invocations from the thread will use the client's delegated credentials. Alternatively, you can use delegation service to delegate client credentials to and then use that from your service. http://www.globus.org/toolkit/docs/4.0/security/delegation/ If you indeed want to delegate host credentials, then you will need to add a girdmap entry with the host DN. But I am not sure I understand why you would want to do that. WS GRAM and the multi job option, that takes a request for submitting jobs for a user and sub,its it on behalf of the user to a configured GRAM service is available as part of the Globus Toolkit. http://www.globus.org/toolkit/docs/4.0/execution/wsgram/ Is your requirement different from what that service fulfills ? Rachana My client and the Server side code is look like this: Client: _____________________________ try{ msgContext.getCurrentContext(); manager = (ExtendedGSSManager)ExtendedGSSManager.getInstance(); cred = manager.createCredential(GSSCredential.INITIATE_AND_ACCEPT); userGlobusCred = ((GlobusGSSCredentialImpl)cred).getGlobusCredential(); iA = new IdentityAuthorization(userGlobusCred.getIdentity()); delegFactoryEndpoint = DelegationServiceEndpoint.getInstance().getDelegationServiceEndpoint(); delegFactory = delegfactoryLocator.getDelegationFactoryPortTypePort(delegFactoryEndpoint); iiA = new HostAuthorization(); secDesc =new ClientSecurityDescriptor(); secDesc.setGSITransport(Constants.ENCRYPTION); secDesc.setAuthz(iiA); secDesc.setDelegation(GSIConstants.GSI_MODE_FULL_DELEG); secDesc.setGSSCredential(cred); }catch(Exception e){System.out.println("Error1: "+e);} /////////////////////////// try{ //((Stub) problemsolverFactory)._setProperty(Constants.CLIENT_DESCRIPTOR,secDesc); ((Stub) delegFactory)._setProperty(Constants.CLIENT_DESCRIPTOR,secDesc); certToSign = DelegationUtil.getCertificateChainRP( delegFactoryEndpoint, secDesc)[0]; //first element in the returned array credentialEndpoint = DelegationUtil.delegate( delegFactoryurl, //String userGlobusCred, //GlobusCredential certToSign, //X509Certificate lifetime, //int (seconds) true, //boolean secDesc); //ClientSecurityDescriptor }catch (Exception e){System.out.println("Error2:"+e);} _____________________________ Service side code: ______________________________ MessageContext messageContext = MessageContext.getCurrentContext(); Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT); System.out.println("Subject: "+subject.toString()); if (subject != null) { cred = JaasGssUtil.getCredential(subject); } ______________________________ Do I have to do any thing else? or is this implementation is not complete? or do I have to see some parameters in configuration file. Thanks Salman Toor _____ From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 8:46 AM To: 'Salman Zubair Toor'; 'gt-user' Cc: 'Johan Tordsson'; 'P-O Östberg' Subject: RE: [gt-user] Exception while delegating user credentials.... Yes, the DN of the client should be added to the gridmap file configured for the services, so that they can be authorized. Rachana _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salman Zubair Toor Sent: Sunday, August 05, 2007 9:44 AM To: gt-user Cc: Johan Tordsson; P-O Östberg Subject: [gt-user] Exception while delegating user credentials.... Hi all, I want to delegate the user credentials to the service so that service can submit the jobs on behalf of user but I get Error: Client Site code: _______________________________ .......... ExtendedGSSManager manager = (ExtendedGSSManager)ExtendedGSSManager.getInstance(); cred = manager.createCredential(GSSCredential.INITIATE_AND_ACCEPT); GlobusCredential userGlobusCred = ((GlobusGSSCredentialImpl)cred).getGlobusCredential(); iA = new IdentityAuthorization(userGlobusCred.getIdentity()); }catch (Exception e){System.out.println("Eror: "+e);} try{ ((Stub) port )._setProperty(Constants.GSI_SEC_CONV, Constants.ENCRYPTION); ((Stub) port)._setProperty(Constants.AUTHORIZATION,iA); ((Stub) port)._setProperty(GSIConstants.GSI_MODE, GSIConstants.GSI_MODE_FULL_DELEG); (Stub) port)._setProperty(GSIConstants.GSI_CREDENTIALS, cred); ......... _______________________________ Service Side code : _______________________________ Subject subject = JaasSubject.getCurrentSubject(); if (subject != null) { cred = JaasGssUtil.getCredential(subject); } _______________________________ It delivers the credentials but throws this Exception. Submission ID: uuid:59a6f3e0-435f-11dc-896a-81489780028d 2007-08-05 16:22:51,934 INFO client.GramJob [ServiceThread-11,submit:415] <startTime name="submission">1186323771934</startTime> 2007-08-05 16:22:51,941 INFO client.GramJob [ServiceThread-11,fetchDelegationFactoryEndpoints:645] <startTime name="fetchDelegFactoryEndoints">1186323771941</startTime> 2007-08-05 16:22:52,272 INFO client.GramJob [ServiceThread-11,fetchDelegationFactoryEndpoints:652] <endTime name="fetchDelegFactoryEndoints">1186323772272</endTime> 2007-08-05 16:22:52,273 INFO client.GramJob [ServiceThread-11,delegate:730] <startTime name="fetchDelegCertChainRP">1186323772273</startTime> 2007-08-05 16:22:52,397 INFO client.GramJob [ServiceThread-11,delegate:739] <endTime name="fetchDelegCertChainRP">1186323772397</endTime> 2007-08-05 16:22:52,398 INFO client.GramJob [ServiceThread-11,delegate:764] <startTime name="delegate">1186323772398</startTime> 2007-08-05 16:22:52,521 WARN authorization.GridMapAuthorization [ServiceThread-10,isPermitted:158] Gridmap authorization failed: peer "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" not in gridmap file. 2007-08-05 16:22:52,521 WARN authorization.ServiceAuthorizationChain [ServiceThread-10,authorize:292] "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service 2007-08-05 16:22:52,530 ERROR delegation.DelegationUtil [ServiceThread-11,delegate:440] org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationExceptio n: "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service java.io.IOException: Job request error: org.globus.delegation.DelegationException: [Caused by: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationExceptio n: "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service] at org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.processJ ob(ProblemSolverGRAMClient.java:334) at org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.submitRS L(ProblemSolverGRAMClient.java:230) at org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.multiJob Submission(ProblemSolverGRAMClient.java:498) at org.globus.services.core.problemsolver.impl.SolverJobSubmission.multiJobProc essing(ProblemSolverService.java:243) at org.globus.services.core.problemsolver.impl.ProblemSolverService.solverJobSu bmission(ProblemSolverService.java:184) at org.globus.services.core.problemsolver.impl.ProblemSolverService.findResourc e(ProblemSolverService.java:174) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384 ) at org.globus.axis.providers.RPCProvider.invokeMethodSub(RPCProvider.java:107) at org.globus.axis.providers.PrivilegedInvokeMethodAction.run(PrivilegedInvokeM ethodAction.java:42) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:379) at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55) at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90) at org.globus.axis.providers.RPCProvider.invokeMethod(RPCProvider.java:97) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:2 81) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:450) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285) at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664) at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382) at org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:147 ) at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) Anybody can guide me what exactly is wrong in this code. Should I enter "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" in gridmap-file. Thanks. Salman Toor.
