credential delegation protocol

Guy Rixon guyrixon at gmail.com
Sat Sep 11 03:15:40 PDT 2010 

Hi Pat,

if you look in the AstroGrid security-facade library, you will find  
Java implementations of both the service and client ends of the CDP.  
These have been in use in AstroGrid services since the 2009.1 release.  
AFAIK, there are no outstanding bugs in the CDP implementation, but I  
stand ready to support it if anybody finds any.

The latest version is 2010.1, available in the directory at

http://www.astrogrid.org/maven2/org/astrogrid/astrogrid-security/2010.1/

and the docs are on-line at

http://software.astrogrid.org/doc/p/security/2010.1/

It's also available through Maven-2 if you set up http://www.astrogrid.org/maven2/ 
  as one of your repositories. (Please note that the versions of many  
of the components linked from the front pages of web-sites http://deployer.astrogrid.org/ 
  and http://software.astrogrid.org/ are typically out of date.)

The service end of this implementation is a servlet which caches the  
delegated credentials in a static store. The latter class has the API  
by which other software gets at the credentials after the CDP has run.  
It's designed to be plugged into any Java web-application.

You'll also find, in the security library, packages for creating proxy  
certificates and for validating chains that include proxies. These are  
adapted from the Java-CoG library for Globus stuff and the more-recent  
versions of Bouncy Castle. These utility packages might be useful  
separately from the CDP.

CDP is basically an alternative to MyProxy. Before we wrote CDP, I was  
trying to use MyProxy in AstroGrid and it caused a lot of problems,  
firstly because it was easy to misconfigure but more seriously and  
chronically because it needs port 7512 and many of our users found  
that port blocked at their own, client-site firewalls. CDP was written  
to fix that situation.

You could implement CDP as a facade over MyProxy. You'd need a MyProxy  
client in Java; there's one in the Java CoG kit, but it's intended for  
different use-cases and is rather hard to use for the simple ones  
involved here. There's also a pre-release client for MYProxy in my  
security library which needs finishing off and testing; I stopped work  
on this because I didn't have a MyProxy server-installation I trusted  
for use as a test fixture. My guess would be that CDP-over-MyProxy  
would be more code and more complicated than my pure-servlet  
implementation. I think it would work, but not be worth the trouble of  
debugging just to get CDP (note that the NCSA implementation of the  
server seems to depart from the documented protocol in a few subtle  
details, so debugging the client is loadsa fun). However, if you  
wanted to delegate from a web service to a grid, where the grid would  
use the native interface to MyProxy, then it might be good.

Hope this helps,

Guy



On 10 Sep 2010, at 21:03, Patrick Dowler wrote:

>
> We have gone off the deep end in using X509 certficates for several  
> projects
> here in CADC and specifically in using IVOA standards wherever  
> possible. In the
> grid processing system we have people creating and maintaining VMs  
> and running
> them in "the cloud". Then users wanted to  create, copy, and delete  
> VMs and
> even share VMs with other users (eg these people can run my VM ==  
> group-read
> permission)... the easy solution was to have users store their VMs  
> in VOSpace
> because it does all that.
>
> However, to do that we now have other services which need to get the  
> VM from
> the VOSpace (eg the cloud system and the VM config system we setup  
> so users
> could boot/modify/save their VM on our side of the network) and that  
> had to be
> done with the users credentials. We needed to have a proxy  
> certificate/key pair
> we could use... we needed a standard way to do that from several  
> places... we
> need a credential delegation proto... heh! Here's one right here on  
> ivoa.net
> and it's already a standard!!
>
> So, first thing: thanks to GWS for being ahead of the curve :-)
>
> Has anyone implemented CDP? in java? It seems there are many ways to  
> do X509
> stuff wrong that still sort of work and there is more misinformation  
> on the net
> than I thought possible.
>
> Also, has anyone worked with MyProxy (from NCSA) and can you explain  
> the
> overlap of that with CDP? Could one build CDP REST bindings on top  
> of MyProxy
> and thus get some stuff for free?
>
> Anyway, we will be implementing CDP sometime soon.
>
> -- 
>
> Patrick Dowler
> Tel/Tél: (250) 363-0044
> Canadian Astronomy Data Centre
> National Research Council Canada
> 5071 West Saanich Road
> Victoria, BC V9E 2M7
>
> Centre canadien de donnees astronomiques
> Conseil national de recherches Canada
> 5071, chemin West Saanich
> Victoria (C.-B.) V9E 2M7

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ivoa.net/pipermail/grid/attachments/20100911/8e254325/attachment.html>

More information about the grid mailing list