[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 10:24:08 CST 2012


It's working for me with those arguments - are you including the
options on the same line, or including the \ if breaking it over
multiple lines? Did you quote the endpoint name? What error message are
you getting?

On Wed, 01 Feb 2012 11:20:28 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> Bryce, the code at github:
> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
> 
> does not parse the arguments the way you presented.
> 
> Maxim
> 
> On 2/1/2012 10:54 AM, Bryce Allen wrote:
> > delegate_proxy_activate.py does that, it just doesn't have good
> > documentation - I'll add usage info to the docstring. I would avoid
> > trying to do it manually based on the RFC unless you absolutely
> > can't use the Python code. You run it like this:
> >
> > delegate_proxy_activate.py USERNAME 'ENDPOINT_NAME' /path/to/cred \
> >   -k /path/to/client/auth/key \
> >   -c /path/to/client/auth/cert \ # often the same as key
> >   -C ../ca/gd-bundle_ca.cert
> >
> > It has the same options as the transfer_api main script, but adds to
> > required arguments for ENDPOINT_NAME (which needs to be quoted in
> > case it contains a #) and the path to an X509 credential or proxy.
> >
> > It's on my todo list to improve the option parsing and support a
> > config file so the options don't have to be passed every time.
> >
> > -Bryce
> >
> > On Wed, 01 Feb 2012 10:40:05 -0500
> > Maxim Potekhin<potekhin at bnl.gov>  wrote:
> >> Thank Bryce. I find the process fairly hard to understand and
> >> follow in detail.
> >> Let's say I have a X509 proxy (or cert) which I previously supplied
> >> to Globus Online.
> >> It would be fantastic to have  a method that would simply take a
> >> path to that proxy and
> >> do the activation. Or does delegate_proxy_activate.py do exactly
> >> that?
> >>
> >> In the example that you link to, the delegate_proxy_activate.py --
> >> is that enough or should I follow the rest of the e-mail as in
> >> instruction?
> >>
> >> Thanks
> >>
> >> Maxim
> >>
> >>
> >> On 2/1/2012 10:32 AM, Bryce Allen wrote:
> >>> There's an example of how to do this from Python on github (it's
> >>> just not part of the PyPI package):
> >>>
> >>> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
> >>>
> >>> This RFC for how this works is still accurate except that there is
> >>> no 'public_key_expires' field:
> >>> https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
> >>>
> >>> The key field that needs to be sent in the activation requirements
> >>> is the proxy_chain. It's a proxy certificate using the public key
> >>> sent by the server, signed by the users credential, together with
> >>> the user certificate and any other certificates in the chain. It's
> >>> non trivial to construct - see the 'create_proxy' function in the
> >>> main client file:
> >>> https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
> >>>
> >>> The filled in requirements will look something like this:
> >>>
> >>> {
> >>>     "DATA_TYPE": "activation_requirements",
> >>>     "DATA": [
> >>>        {
> >>>         "name": "proxy_chain",
> >>>         "DATA_TYPE": "activation_requirement",
> >>>         "value": " "-----BEGIN
> >>>         CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
> >>>         CERTIFICATE-----\n-----BEGIN
> >>>         CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
> >>>         CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
> >>> }
> >>>
> >>> It may include additional (unused) activation requirements in the
> >>> DATA list, and other fields that were part of the original
> >>> response from the server, so you can just take the response and
> >>> add the proxy_chain value. However those are all optional and are
> >>> ignored anyway.
> >>>
> >>> Hope that helps,
> >>> Bryce
> >>>
> >>> On Tue, 31 Jan 2012 23:26:20 -0500
> >>> Maxim Potekhin<potekhin at bnl.gov>   wrote:
> >>>> Hello,
> >>>>
> >>>> when I look at activation requirements, I observe that they seem
> >>>> to be tailored to password-based auth with MyProxy server. In our
> >>>> situation, we need cert-based auth. Is it still possible?
> >>>>
> >>>> Thanks
> >>>>
> >>>> Maxim
> >>>>
> >>>> _______________________________________________
> >>>> transfer-api mailing list
> >>>> transfer-api at lists.globusonline.org
> >>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> transfer-api mailing list
> >>>> transfer-api at lists.globusonline.org
> >>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/19d4b7df/attachment.pgp>


More information about the transfer-api mailing list