Two other pieces are Delegation Service and GridFTP server. They default to
gridmap authorization and in your case, they might be triggered. For
delegation service, you can modify the security descriptor like you have for
the other WS* services.
 
For GridFTP, you will need C callouts that use VOMS credentials or
equivalent of the VOMS PDP - I haven't tried this, but PRIMA callouts might
help with the VOMS pieces. This was the first hit on a search:
http://computing.fnal.gov/docs/products/voprivilege/prima/prima.html. Maybe
someone from the GridFTP team has other suggestions.
 
Rachana
 



  _____  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Kakoli Sen
Sent: Friday, September 12, 2008 6:34 AM
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: [gt-user] Using VOMS interceptors for Globus services like RFT,
GRAM etc.



Hello all,
    We are using VOMS credential to access Globus services like RFT, GRAM
etc.
For this, we have installed VOMS server, VOMS client. And the VOMS
interceptor is deployed in the Globus container.
After this, we were able to succesfully invoke our own service
'DeployService' whose security config file and wsdd file has been attached.
Here grid-map authz. has been disabled and authZ. value points to VOMS PDP
and PIP. So the global grid-map need not have an entry for the client DN
through which the service is invoked.

Then we are trying RFT service similarly.(Only ReliableFileTransferService
is configured to use VOMS PDP and PIP and grid-map authZ. is disabled).
But here, the transfer happens successfully only if the global grid-mapfile
has an entry for the client DN.
If the entry is absent it gives the following error:

<soapenv:Envelope xmlns:soapenv="
<http://schemas.xmlsoap.org/soap/envelope/>
http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="
<http://www.w3.org/2001/XMLSchema> http://www.w3.org/2001/XMLSchema";
xmlns:xsi=" <http://www.w3.org/2001/XMLSchema-instance>
http://www.w3.org/2001/XMLSchema-instance";><soapenv:Body><soapenv:Fault><fau
ltcode>soapenv:Server.userException</faultcode><faultstring>org.globus.wsrf.
impl.security.authorization.exceptions.AuthorizationException:
&quot;/C=IN/O=C-DAC KP
Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis&quot; is not authorized to
use operation:
{http://www.globus.org/08/2004/delegationService}requestSecurityToken on
this service</faultstring><detail><ns1:stackTrace xmlns:ns1="
<http://xml.apache.org/axis/>
http://xml.apache.org/axis/";>org.globus.wsrf.impl.security.authorization.exc
eptions.AuthorizationException: &quot;/C=IN/O=C-DAC KP
Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis&quot; is not authorized to
use operation:
{http://www.globus.org/08/2004/delegationService}requestSecurityToken on
this service
        at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:301)
        at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:272)
        at
org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author
ize(ServiceAuthorizationChain.java:235)
        at
org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(Auth
orizationHandler.java:177)
        at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:
32)
        at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
        at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
        at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248)
        at
org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
        at
org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
        at
org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
</ns1:stackTrace><ns2:hostname xmlns:ns2=" <http://xml.apache.org/axis/>
http://xml.apache.org/axis/";>sukeshini.cdacb.ernet.in</ns2:hostname></detail
></soapenv:Fault></soapenv:Body></soapenv:Envelope>


My guess is that RFT may actually be invoking other services which may be
referring to the original grid--map. 

Then my query is : What other services are actually involved?

Has anyone configured Globus RFTservice to use PDP and PIP instead of
gridmap authZ.?

Thanks & Regards,

Kakoli
________________________________________________________________________
KAKOLI SEN                              Ph:91-80-25341909/215(Extn. 309)
C-DAC Knowledge Park                    E-mail:
#1, Old Madras Road                     [EMAIL PROTECTED]
Bangalore - 560 038, INDIA              [EMAIL PROTECTED]
________________________________________________________________________



-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.cdac.in/> MailScanner, and is 
believed to be clean. 

Reply via email to