TWiki>
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T3Data>EmiJra1T3-SRMSEC-Overview>EmiJra1T3-SRMSEC-delegation (2010-11-30, PaulMillar)
EditAttachPDF
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T3Data>EmiJra1T3-SRMSEC-Overview>EmiJra1T3-SRMSEC-delegation (2010-11-30, PaulMillar) EditAttachPDFAvailable delegation services
There are several available delegation protocols available:- the original GridSite Delegation Service Protocol,
- the gLite/GridSite Delegation Service Protocol,
- the Globus Credential Delegation Service,
- Globus' New Delegation Service,
- the IVOA Credential Delegation Protocol.
- WS-Trust (an extension to WS-Security).
Original GridSite Delegation Service Protocol
This protocol is document
in the GridSite pages. It supports two operations: getProxyReq and putProxy. The semantics are that getProxyReq receives the public key of the newly generated proxy that the client is to sign. Once signed, the certificate is uploaded using putProxy.
The description, protocol (and, therefore, also the WSDL) has been superseded by the gLite/GridSite protocol.
gLite/GridSite protocol
The gLite/GridSite protocol extends the original GridSite protocol. There are three versions of this protocol:- version 1.0.0: the Original GridSite Delegation Service Protocol, supporting
getProxyReqandputProxyoperations. The client issuesgetProxyReqwith an ID, the client then signs the cert. request and uploads the certificate usingputProxyoperation. This is essentially the same as the original GridSite Delegation Service (see above). - version 1.1.0: introduces the concept of a delegation session by adding:
getNewProxyReq,renewProxyReq,getTerminationTime,destroyoperations. BothgetNewProxyReqandrenewProxyReqrequire the client to complete the operation with the v1.0.0putProxyoperation. - version 2.0.0 (the latest) adds some ancillary information operations:
getVersion,getInterfaceVersion,getServiceMetadata.
.
Available implementations
There are several projects in the gLite CVS repository (:pserver:anonymous@glite.cvs.cern.ch:/cvs/glite) that provide some support for GDS or delegation.
GDS v2.0.0
These projects provide support for GDS v2.0.0- org.glite.security.delegation-interface contains the WSDL for GDS v1.0.0, v1.1.0 and v2.0.0
- org.glite.security.delegation-java Java library to support the functionality needed for a GDS 2.0.0 client or server.
- org.glite.data.delegation-cli C client library and example CLI. Seems to be compliant with GDS 2.0.0
GDS v1.1.0
- org.gridsite.core C code for gridsite. Includes delegation server/service code
Unknown
- org.glite.security.delegation-client seemingly incomplete client implementation; unclear how this matches with any particular GDS version.
Globus Credential Delegation Service
This service was supplied as part of Globus Toolkit (GT) v4.0. Globus has dropped support for their Delegation Service with GTv5.0. There is no explicit mention that they've dropped support in their release notes and the component is no longer listed.
Globus New Delegation Service
As part of their effort in moving away from GSI towards SSL/TLS, Globus will provide a new delegation service. Details are scarce at the moment, but it is anticipated that it will be RESTful.IVOA Delegation service
Version 1.0 of the IVOA Credential Delegation Protocol is described in this page.
The AstroGrid security, delegation page describes the AstroGrid implementation, which is a Java client + server.
Here is a brief analysis from Joni Hahkala:
The IVOA protocol seems good and seems to be well defined. But it seems to assume the user needs just one delegation. In gridsite delegation there is so called delegation id which allows the user to have several delegations at the same time with for example different VO attributes. By default in our systems this id is generated and filled with hash of the VO attributes allowing the user to do things with different roles etc at the same time without the credentials getting mixed up. Otherwise the protocols are pretty close to eachother.
WS-Trust
According to the standard's introduction, WS-Trust is defined as extensions to the WS-Security family that provide: - Methods for issuing, renewing, and validating security tokens.
- Ways to establish assess the presence of, and broker trust relationships.
Topic revision: r4 - 2010-11-30 - PaulMillar
EMI Web
News
Events
Procedures and Tools
Mailing Lists
Documents
Project Structure
Create New Topic
Index
Search
Changes
Statistics
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback