GlobusRun.java has an example of using HostOrSelf, as I believe I
mentioned in an earlier mail. However, I agree with Johan's
assessment of using the Delegation service. The WS-GRAM service has
a lot of code dealing with delegated credentials from the user, as it
uses them for both staging and job delegation. See, for instance, ws-
gram/service/java/source/src/org/globus/exec/service/utils/
DelegatedCredential.java
Charles
On Dec 4, 2007, at 6:45 AM, Zeeshan Ali Shah wrote:
Hi Johan,
I used the same example code from the book , (Physical Service and
Math
Service) and it specified the same mechanism which i have written.
Can you please send me some pointers/guide the way you mentioned ,
Coding example or some text
thanks
Zeeshan
Johan Tordsson wrote:
Dear Zeeshan,
You probably neither want to change the ownership of the service
nor run the service as caller identity, as this leads to scenarios
like
the one you described below.
Instead, delegate credentials to the service from the user. Next,
let the
service (still running as user 'globus') fetch the delegated
credentials. These credentials can now be used for invoking other
services (set them on the stub), or be used e.g., to specify
ownership of a certain WS-Resource.
Best regards,
Johan
On Tue, 4 Dec 2007, Zeeshan Ali Shah wrote:
Hi,
I am using GT Dev 4.1.3 release now and used the delegation
mechanisms
as stated in the Globus book and online tutorial with
modification of
security-config.xml schema.
I edited two parts of service first its security descriptor which
is now
<methodAuthentication>
<method name="CreateActivity">
<run-as value="caller"/>
</method>
</methodAuthentication>
<auth-method>
<GSISecureConversation/>
<GSISecureMessage/>
<GSISecureTransport/>
</auth-method>
<authzChain> <pdps> <interceptor name="none"/> </pdps> </authzChain>
and on server side under the method createActivity i wrote
try{
SecurityManager.getManager().setServiceOwnerFromContext();
..............
On client side i am using HostAuthorization, in initial
invocation it
works fine as when the sever start the service is using the host
cert
right ?
Now Suppose there are two user (A,B)
Question 1: In first invocation the service will run as the 'User
A' ,
what happen when the 'User B' try to invokes the same service ?
Client
will give an error since now the service is running as of 'User A' :
which means that HostAuthorization and SelfAuthorization will not
work
for 'User B' . any suggestion please
Question 2: Is it possible to switch back to initial service context
(which was host based when server started) after invocation of the
delegated method ?
regards
Zeeshan
Zeeshan Ali Shah wrote:
Hi ,
HostOrSelfAuthorization does not have the .getInstance() so i
used the
normal constructor as
HostOrSelfAuthorization hs = new HostOrSelfAuthorization();
((Stub) besFactory)._setProperty(Constants.GSI_SEC_CONV,
Constants.SIGNATURE);
((Stub) besFactory)._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_FULL_DELEG);
((Stub) besFactory)._setProperty(Constants.AUTHORIZATION,
hs); // see here
but i am getting this error
Failure unspecified at GSS-API level (Mechanism level: [JGLOBUS-59]
Cannot request delegation without authorization (target name null))
any suggestion ?
Zeeshan
Charles Bacon wrote:
Questions : So, either I should not have the service run as the
caller (If Yes than how Delegation will works ??) , or have the
client expect its own identity after it has delegated. (How to
switch
back ?). regards Zeeshan
The client can call another setProperty call to switch over to
Self
authorization, the exact same way your quoted code goes to host
authorization in the first place.
Or, as we also discussed, you can use the
HostOrSelfAuthorization the
whole time.
Charles
---------------------------------
Johan Tordsson
Department of Computing Science
Umea University
SE-901 87 Umea
tordsson_at_cs.umu.se
