Two other pieces are Delegation Service and GridFTP server. They default to gridmap authorization and in your case, they might be triggered. For delegation service, you can modify the security descriptor like you have for the other WS* services. For GridFTP, you will need C callouts that use VOMS credentials or equivalent of the VOMS PDP - I haven't tried this, but PRIMA callouts might help with the VOMS pieces. This was the first hit on a search: http://computing.fnal.gov/docs/products/voprivilege/prima/prima.html. Maybe someone from the GridFTP team has other suggestions. Rachana
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kakoli Sen Sent: Friday, September 12, 2008 6:34 AM To: [email protected] Cc: [EMAIL PROTECTED] Subject: [gt-user] Using VOMS interceptors for Globus services like RFT, GRAM etc. Hello all, We are using VOMS credential to access Globus services like RFT, GRAM etc. For this, we have installed VOMS server, VOMS client. And the VOMS interceptor is deployed in the Globus container. After this, we were able to succesfully invoke our own service 'DeployService' whose security config file and wsdd file has been attached. Here grid-map authz. has been disabled and authZ. value points to VOMS PDP and PIP. So the global grid-map need not have an entry for the client DN through which the service is invoked. Then we are trying RFT service similarly.(Only ReliableFileTransferService is configured to use VOMS PDP and PIP and grid-map authZ. is disabled). But here, the transfer happens successfully only if the global grid-mapfile has an entry for the client DN. If the entry is absent it gives the following error: <soapenv:Envelope xmlns:soapenv=" <http://schemas.xmlsoap.org/soap/envelope/> http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd=" <http://www.w3.org/2001/XMLSchema> http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" <http://www.w3.org/2001/XMLSchema-instance> http://www.w3.org/2001/XMLSchema-instance";><soapenv:Body><soapenv:Fault><fau ltcode>soapenv:Server.userException</faultcode><faultstring>org.globus.wsrf. impl.security.authorization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service</faultstring><detail><ns1:stackTrace xmlns:ns1=" <http://xml.apache.org/axis/> http://xml.apache.org/axis/";>org.globus.wsrf.impl.security.authorization.exc eptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:301) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:272) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:235) at org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(Auth orizationHandler.java:177) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664) at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382) at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) </ns1:stackTrace><ns2:hostname xmlns:ns2=" <http://xml.apache.org/axis/> http://xml.apache.org/axis/";>sukeshini.cdacb.ernet.in</ns2:hostname></detail ></soapenv:Fault></soapenv:Body></soapenv:Envelope> My guess is that RFT may actually be invoking other services which may be referring to the original grid--map. Then my query is : What other services are actually involved? Has anyone configured Globus RFTservice to use PDP and PIP instead of gridmap authZ.? Thanks & Regards, Kakoli ________________________________________________________________________ KAKOLI SEN Ph:91-80-25341909/215(Extn. 309) C-DAC Knowledge Park E-mail: #1, Old Madras Road [EMAIL PROTECTED] Bangalore - 560 038, INDIA [EMAIL PROTECTED] ________________________________________________________________________ -- This message has been scanned for viruses and dangerous content by <http://www.cdac.in/> MailScanner, and is believed to be clean.
