[Gridsphere-users] Gridsphere / Vine - Myproxy auto-authentication

Michael Russell russell at man.poznan.pl
Wed May 14 23:04:55 PDT 2008 

Hi Mircea,

Thanks for your interest in our new project!

Firstly, we have fixed most of the issues that prevented a full 1.0  
release last Friday and intend to put out a 1.0 Release Candidate  
(RC) 1 tomorrow.

Second, you should know that Vine, unlike GridPortlets, will only  
deploy Domain.xml once. So after your initial install, you will need  
to edit Domain.xml in:

     $CATALINA_HOME/webapps/vine/WEB-INF/vine/resources/Domain.xml

You can edit this file directly or use the Resource Manager Portlet  
to edit it online.

However, like GridPortlets, Vine provides a handy uninstall feature.  
So invoking "ant uninstall" will cleanly remove Vine from Apache  
Tomcat and GridSphere, including Domain.xml.

Third, Vine has a different set of "resource tags" from GridPortlets.  
We decided to use a format that is more consistent with the current  
recommended practices for XML. The general pattern for a resource tag  
is like so:

"<resource-name-in-lower-case>Resource"

So whereas GridPortlets had "myproxy-resource", Vine has  
"myproxyResource", and so on. One other difference between Vine and  
GridPortlets is that the "hardware-resource" tag has been changed to  
"hostResource".

Now I do my best to answer below.

On May 14, 2008, at 10:28 PM, Mircea Deaconu wrote:

>   Hello everyone,
>
> 1.  I'm trying to configure Gridsphere 3.0 / Vine 1.0 Beta to  
> authenticate with Myproxy right from the login portlet (the sparse  
> documentation available regarding this subject indicates that this  
> is something that can be done :) ) using the gridsphere username  
> and the password used to store the proxy. I know it can be done, I  
> know it must be pretty simple, I'm going pretty mad. If someone  
> knows how to configure the Vine's Domain.xml file or Gridsphere's  
> configs (in detail) to do that I would be forever thankfull.

Configuring Domain.xml to support MyProxy involves 2 steps:

a. Activate the Credential Repository Authentication Module:

  <authenticationModule key="CredentialRepositoryAuthModule"/>

Vine has several different "authentication modules" you can use to  
configure Vine security. Vine's security mechanisms are divorced from  
GridSphere's to support the ability to deploy Vine to other portal  
environments, as well as for use as its own web application or in  
standalone apps. This is just one of several included in the "Grid  
Vine" project (as Vine consists of multiple projects). You should  
also have one more Authentication Module registered with your  
Domain.xml, the Portlet Authentication Module:

     <authenticationModule key="PortletAuthModule"/>

Registering this after Credential Repository Auth Module will insure  
that if authentication fails with the Credential Repository Auth  
Module, then Vine will allow you to authenticate if you successfully  
authenticate with the GridSphere portlet container's own  
authentication mechanisms. This means you can easily integrate Vine  
with other web apps that have their own authentication modules and  
even GridPortlets.

b. Register a credential repository with Vine. Currently, MyProxy is  
the only supported credential repository. Here is an example straight  
from our GT4 installer:

     <!-- Your MyProxy host -->
     <hostResource hostname="rage1.man.poznan.pl"
                   label="PSNC GT4 Resource"
                   description="PSNC GT4 Demonstration Resource">

         <!-- MyProxy -->
         <myproxyResource label="PSNC (MyProxy)"
                          useCredential="false"
                          checkConnection="true"
                          timeoutMiliseconds="2000"/>

     </hostResource>

MyProxy is a "Service Resource" in the Vine world and all services  
resources are hosted on a "Host Resource", therefore you must  
register "myProxyResource" as a child of some "hostResource" in  
Domain.xml. Moreover, MyProxy can be configured in various ways. If  
your MyProxy does not require your portal to have its own credential  
to be authorized to delegate credentials on behalf of users, then you  
can use the "useCredential=false" attribute, as in the example above.

So with these 2 items, a Credential Repository Auth Module and a  
MyProxy Resource entry, you will have authentication support with  
MyProxy.

I've included a full Domain.xml example at the end of this message.

>
> 2. Is there a globus integration for new gridsphere users creation  
> that adds users into gridmap files and maybe also creates the user  
> certificates automatically?

Yes, Vine does support this feature. In fact, I've never liked  
MyProxy since it is not even remotely close to being a true "single  
sign-on" solution. The fact that users are required to possess a  
separate client for periodically delegating their credentials to  
MyProxy, the fact that the MyProxy command requires 2 password  
entries and the fact you have to then separately login to the  
portal... well, I don't see how the designers of MyProxy consider  
this to be a "single" anything! Moreover, it exposes end-users to  
security mechanisms they are likely not going to understand or even  
care to understand. Finally, I think a securely firewalled portal is  
a much better and safer means of managing user credentials then  
relying on end-users to manage their own credentials. Who knows where  
and what end-users will do with their certificates and private keys.

Vine has the features of GAMA and more, in fact, but we are still in  
the process of documenting what Vine can do. So please try getting  
the MyProxy to work first. We will be launching a public  
demonstration portal in the near future that will show how to use  
Vine to manage user accounts, manage their credentials, auto-register  
them with target compute resources and more. We will then post news  
about how you can do the same with your Vine distributions.

Regards,

Michael

....

<domain name="gt4" label="Globus Toolkit 4" description="Globus  
Toolkit 4">

     <!-- Credential repository authentication (For use with  
"myproxyResource") -->
     <authenticationModule key="CredentialRepositoryAuthModule"/>

     <!-- Portlet authentication -->
     <authenticationModule key="PortletAuthModule"/>

     <!-- Portal -->
     <hostResource hostname="localhost"
                   label="Portal"
                   description="Portal">

         <!-- Portal file system (Do not remove!) -->
         <portalFileSystem label="Portal File System"  
description="Portal File System"/>

     </hostResource>

     <!-- Rage1 Cluster -->
     <hostResource hostname="rage1.man.poznan.pl"
                   label="PSNC GT4 Resource"
                   description="PSNC GT4 Demonstration Resource">

         <!-- MyProxy -->
         <myproxyResource label="PSNC (MyProxy)"
                          useCredential="false"
                          checkConnection="true"
                          timeoutMiliseconds="2000"/>

         <!-- GridFtp -->
         <gridftpResource label="PSNC (Grid-FTP)"/>

         <!-- WS-GRAM -->
         <wsGramResource label="PSNC (WS-GRAM)" port="8443">

             <!-- possible values: FORK, LSF, PBS, MULTI, CONDOR -->
             <resourceAttribute name="factoryType" value="FORK"/>
             <resourceAttribute name="WsrfResource.AuthorizationType"  
value="host"/>
             <resourceAttribute name="WsrfResource.DelegationEnabled"  
value="true"/>
             <resourceAttribute  
name="WsrfResource.MessageProtectionType" value="2"/>

         </wsGramResource>

         <!--WS MDS-->
         <wsMdsResource label="PSNC (WS-MDS)"/>

     </hostResource>

</domain>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gridsphere.org/pipermail/gridsphere-users/attachments/20080515/58735265/attachment-0001.html

More information about the Gridsphere-users mailing list