[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 10:11:37 CST 2012


Bryce,

this is what I get when I try to run the example:

[mxp at pandadev01 ~/globus-test]$ ./t1.py
Traceback (most recent call last):
   File "./t1.py", line 70, in <module>
     proxy = create_proxy_from_file(cred_file, public_key)
   File 
"/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py", 
line 1058, in create_proxy_from_file
     return create_proxy(issuer_cred, public_key, lifetime)
   File 
"/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py", 
line 1067, in create_proxy
     from M2Crypto import X509, RSA, EVP, ASN1, BIO
ImportError: No module named M2Crypto




On 2/1/2012 10:54 AM, Bryce Allen wrote:
> delegate_proxy_activate.py does that, it just doesn't have good
> documentation - I'll add usage info to the docstring. I would avoid
> trying to do it manually based on the RFC unless you absolutely can't
> use the Python code. You run it like this:
>
> delegate_proxy_activate.py USERNAME 'ENDPOINT_NAME' /path/to/cred \
>   -k /path/to/client/auth/key \
>   -c /path/to/client/auth/cert \ # often the same as key
>   -C ../ca/gd-bundle_ca.cert
>
> It has the same options as the transfer_api main script, but adds to
> required arguments for ENDPOINT_NAME (which needs to be quoted in case
> it contains a #) and the path to an X509 credential or proxy.
>
> It's on my todo list to improve the option parsing and support a config
> file so the options don't have to be passed every time.
>
> -Bryce
>
> On Wed, 01 Feb 2012 10:40:05 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> Thank Bryce. I find the process fairly hard to understand and follow
>> in detail.
>> Let's say I have a X509 proxy (or cert) which I previously supplied
>> to Globus Online.
>> It would be fantastic to have  a method that would simply take a path
>> to that proxy and
>> do the activation. Or does delegate_proxy_activate.py do exactly that?
>>
>> In the example that you link to, the delegate_proxy_activate.py --
>> is that enough or should I follow the rest of the e-mail as in
>> instruction?
>>
>> Thanks
>>
>> Maxim
>>
>>
>> On 2/1/2012 10:32 AM, Bryce Allen wrote:
>>> There's an example of how to do this from Python on github (it's
>>> just not part of the PyPI package):
>>>
>>> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
>>>
>>> This RFC for how this works is still accurate except that there is
>>> no 'public_key_expires' field:
>>> https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
>>>
>>> The key field that needs to be sent in the activation requirements
>>> is the proxy_chain. It's a proxy certificate using the public key
>>> sent by the server, signed by the users credential, together with
>>> the user certificate and any other certificates in the chain. It's
>>> non trivial to construct - see the 'create_proxy' function in the
>>> main client file:
>>> https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
>>>
>>> The filled in requirements will look something like this:
>>>
>>> {
>>>     "DATA_TYPE": "activation_requirements",
>>>     "DATA": [
>>>        {
>>>         "name": "proxy_chain",
>>>         "DATA_TYPE": "activation_requirement",
>>>         "value": " "-----BEGIN
>>>         CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
>>>         CERTIFICATE-----\n-----BEGIN
>>>         CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
>>>         CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
>>> }
>>>
>>> It may include additional (unused) activation requirements in the
>>> DATA list, and other fields that were part of the original response
>>> from the server, so you can just take the response and add the
>>> proxy_chain value. However those are all optional and are ignored
>>> anyway.
>>>
>>> Hope that helps,
>>> Bryce
>>>
>>> On Tue, 31 Jan 2012 23:26:20 -0500
>>> Maxim Potekhin<potekhin at bnl.gov>   wrote:
>>>> Hello,
>>>>
>>>> when I look at activation requirements, I observe that they seem to
>>>> be tailored to password-based auth with MyProxy server. In our
>>>> situation, we need cert-based auth. Is it still possible?
>>>>
>>>> Thanks
>>>>
>>>> Maxim
>>>>
>>>> _______________________________________________
>>>> transfer-api mailing list
>>>> transfer-api at lists.globusonline.org
>>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
>>>>
>>>>
>>>> _______________________________________________
>>>> transfer-api mailing list
>>>> transfer-api at lists.globusonline.org
>>>> https://lists.globusonline.org/mailman/listinfo/transfer-api




More information about the transfer-api mailing list