Delegation Service
From TeraGrid Wiki
Contents |
Description
The delegation service is a Globus Toolkit 4 web service based on the WS-Trust and WSRF specifications. This service facilitates the delegation of user credentials to other services running in the same container as the delegation service for the purpose of authorization, authentication, and encryption. It is important to note that while the delegation service allows credentials to be refreshed remotely, it may only be used to delegate credentials to services hosted on the same computer, in the same service container.
This component actually consists of two associated services, the delegation factory service and the delegation service.
Services
Delegation Factory Service
The Delegation Factory service exposes a public certificate of its own as a WS-Resource Property that clients can acquire and use to delegate their credential to the Delegation Factory service. When the Delegation Factory service receives the delegated credential, it returns the Endpoint Reference of the delegated credential which is implemented as a Delegation Service. This Endpoint Reference is the handle to the delegated credentials.
Operations
- RequestSecurityToken: This operation allows for a security token to be sent to the service.
Resource Properties
- CertificateChain : This resource property is used to expose the certificate used by the delegation service.
Faults
- RemoteException : General failure exception.
WSDL
Delegation Service
The Delegation Service can be used to refresh the delegated credentials remotely, and contains the Resource Property of the delegated credentials. Co-hosted services can register interest in the credentials via listeners and receive notifications of changes to the credentials.
Operations
- refresh: This operation is used to refresh a delegated credential. When invoked, all services that have registered interest in the credential through listeners are notified.
Faults
- RemoteException : General failure exception.
WSDL
Examples
Command Line Examples
A credential can be delegated to the Delegation Service by using the globus-credential-delegate command found in the $GLOBUS_LOCATION/bin directory.
The usage for the globus-credential-delegate command is as follows:
Delegate [options] fileName
where options can be
-help/--help Displays usage
-h host, defaults to localhost.
-p port, defaults to 8443 if secure transport is used, else
defaults to 8080
-c credential as proxy file, if not default credential is used
-l lifetime in seconds, defaults to 12 hours
-d if set to true full delegation is done, any other value
limiited delegation is done. If option is not specified,
defaults to full delegation
-m security mechanism. 'msg' for secure message or 'conv' for
secure conversation and 'trans' for transport. Defaults to
secure transport.
-n protection type, 'sig' signature and 'enc' encryption,
defaults to signature
-a authz, defaults to Host Authorization (none, host, self or dn
for identity authz)
and fileName is file to write EPR of delegated credential
To delegate a credential, a proxy certificate should be created using the command $GLOBUS_LOCATION/bin/grid-proxy-init. This creates the credential that you will delegate to the service. Delegation of a proxy credential to the Delegation Factory Service running at tg-login1.sdsc.teragrid.org looks like this:
% globus-credential-delegate -h tg-login1.sdsc.teragrid.org
and should result in output like this:
Delegated credential EPR: Address: https://tg-login1.sdsc.teragrid.org:8443/wsrf/services/DelegationService Reference property[0]: <ns1:DelegationKey xmlns:ns1="http://www.globus.org/08/2004/delegationService">0bd21a70-aac5-22db-g95d-914d96345826</ns1:DelegationKey>
If you give a file name as the last argument then the XML output will be written to that file:
% globus-credential-delegate -h tg-login1.sdsc.teragrid.org ./EndpointRef.xml
The output written to EndpointRef.xml should look something like this:
<DelegatedEPR xsi:type="ns1:EndpointReferenceType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <ns1:Address xsi:type="ns1:AttributedURI">https://tg-login1.sdsc.teragrid.org:8443/wsrf/services/DelegationService</ns1:Address> <ns1:ReferenceProperties xsi:type="ns1:ReferencePropertiesType"> <ns1:DelegationKey xmlns:ns1="http://www.globus.org/08/2004/delegationService">0bd21a70-bdec-22db-g95d-914d96345826</ns1:DelegationKey> </ns1:ReferenceProperties> <ns1:ReferenceParameters xsi:type="ns1:ReferenceParametersType"/> </DelegatedEPR>
Programmatic Examples
Globus Toolkit 4 contains a class DelegationUtil that has methods for accessing all of the functionality that the Delegation Service provides.
