|
VOMS (Virtual Organization Membership Service) provides support for managing group membership and roles in grid security. We can consider many ways in which MyProxy might used with VOMS:
MyProxy's VOMS support continues to evolve. Please join the discussions on the myproxy-user mailing list about it. For an example of using MyProxy and VOMS together in Java, see http://projects.arcs.org.au/trac/common-grid-libs/wiki/ProxyLight. Contents
Using MyProxy's Command-Line VOMS SupportStarting in MyProxy version 3.9, the myproxy-init and myproxy-logon clients contain --voms options to add VOMS attributes to credentials stored in the MyProxy repository or retrieved from MyProxy. The --voms option requires voms-proxy-init to be installed and configured on your system, but the MyProxy clients do not need to be specially configured with VOMS support or linked with VOMS libraries. To store a credential in the MyProxy repository containing VOMS attributes, use myproxy-init --voms VO similar to the voms-proxy-init -voms VO command. For example: $ myproxy-init --voms NCSA Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Enter GRID pass phrase: verify OK Creating temporary proxy .................................................................... Done Contacting voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done Creating proxy ....................................................... Done Your proxy is valid until Fri Nov 2 09:41:27 2007 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu. We can then retrieve a proxy and verify that it contains the VOMS attributes: $ myproxy-logon Enter MyProxy pass phrase: A credential has been received for user jbasney in /tmp/x509up_u502. $ voms-proxy-info -all subject : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy identity : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy type : unknown strength : 1024 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO NCSA extension information === VO : NCSA subject : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney issuer : /C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu attribute : /NCSA/Role=NULL/Capability=NULL timeleft : 11:59:48 Alternatively, to add VOMS attributes to a proxy retrieved from MyProxy, use myproxy-logon --voms VO similar to the voms-proxy-init -voms VO command. For example: $ myproxy-logon --voms NCSA Enter MyProxy pass phrase: Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy Creating temporary proxy .............................................................. Done Contacting voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done Creating proxy .................................................. Done Your proxy is valid until Fri Oct 26 21:43:24 2007 A credential has been received for user jbasney in /tmp/x509up_u502. $ voms-proxy-info -all subject : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy identity : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy type : unknown strength : 1024 bits path : /tmp/x509up_u502 timeleft : 11:58:55 === VO NCSA extension information === VO : NCSA subject : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney issuer : /C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu attribute : /NCSA/Role=NULL/Capability=NULL timeleft : 11:58:55 Note that if your VOMS installation does not support newer proxy certificate formats, you will need to set GT_PROXY_MODE=old before running myproxy-init to store your proxy: $ export GT_PROXY_MODE=old $ myproxy-init Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Enter GRID pass phrase for this identity: Creating proxy .................................................................................. Done Proxy Verify OK Your proxy is valid until: Fri Nov 2 09:44:12 2007 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu. For older versions of the MyProxy clients, it is possible to get the same behavior as above by manually running voms-proxy-init before myproxy-init or after myproxy-logon. To store a proxy with a VOMS attributes: $ voms-proxy-init -voms NCSA Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Creating temporary proxy ............................... Done Contacting voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done Creating proxy ...................................................... Done $ export GT_PROXY_MODE=old $ myproxy-init --certfile `grid-proxy-info -path` --keyfile `grid-proxy-info -path` -c 0 Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Creating proxy .................................................................................. Done Proxy Verify OK Your proxy is valid until: Fri Nov 2 09:44:12 2007 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 11 hours (0.5 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu. To retrieve a proxy then add VOMS attributes: $ myproxy-logon Enter MyProxy pass phrase: A credential has been received for user jbasney in /tmp/x509up_u502. $ voms-proxy-init -cert `grid-proxy-info -path` -key `grid-proxy-info -path` -voms NCSA Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Creating temporary proxy ............................... Done Contacting voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done Creating proxy ...................................................... Done This approach is discussed in more detail here. Enabling MyProxy Server VOMS SupportVOMS support is not enabled by default in the myproxy-server. It requires a special installation process to enable. Note that this capability is separate from MyProxy's --voms command-line support, which is enabled by default and does not require the below special installation process.
Configuring MyProxy's VOMS Authorization SupportWith VOMS support enabled in the myproxy-server, the myproxy-server.config policy expressions may specify fully-qualified attribute names using the "FQAN:" prefix. For example:
Last modified
03/05/10. |