[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 10:25:58 CST 2012


Bryce,

my client will run in the cloud, there is only so much I can reasonably 
install
on remote worker nodes, on the fly. Yum is out of question.

Is there any workaround to get auth to Globus Online?

Alternatively, is there a simple way to use MyProxy, whereby it does not
allow anonymous retrieval? If yes, could you post a complete example?

Maxim


On 2/1/2012 11:20 AM, Bryce Allen wrote:
> Oh I forgot about that - another thing I need to add to the docs.
> M2Crypto is required to create and sign the proxy, since it's not
> supported in the standard libraries. It might also be reasonable to
> call the openssl command to do the work, to avoid the extra python
> module dependency.
>
> In any case are you able to install M2Crypto? Most distributions have
> packages for it, or if you have the python/openssl dev libraries
> installed it should install cleanly with easy_install.
>
> In Fedora/RHEL/CentOS:
>
> $ yum install m2crypto
>
> In Ubuntu/Debian:
>
> $ apt-get install python-m2crypto
>
> -Bryce
>
> On Wed, 01 Feb 2012 11:11:37 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> Bryce,
>>
>> this is what I get when I try to run the example:
>>
>> [mxp at pandadev01 ~/globus-test]$ ./t1.py
>> Traceback (most recent call last):
>>     File "./t1.py", line 70, in<module>
>>       proxy = create_proxy_from_file(cred_file, public_key)
>>     File
>> "/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py",
>> line 1058, in create_proxy_from_file
>>       return create_proxy(issuer_cred, public_key, lifetime)
>>     File
>> "/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py",
>> line 1067, in create_proxy
>>       from M2Crypto import X509, RSA, EVP, ASN1, BIO
>> ImportError: No module named M2Crypto
>>
>>
>>
>>
>> On 2/1/2012 10:54 AM, Bryce Allen wrote:
>>> delegate_proxy_activate.py does that, it just doesn't have good
>>> documentation - I'll add usage info to the docstring. I would avoid
>>> trying to do it manually based on the RFC unless you absolutely
>>> can't use the Python code. You run it like this:
>>>
>>> delegate_proxy_activate.py USERNAME 'ENDPOINT_NAME' /path/to/cred \
>>>    -k /path/to/client/auth/key \
>>>    -c /path/to/client/auth/cert \ # often the same as key
>>>    -C ../ca/gd-bundle_ca.cert
>>>
>>> It has the same options as the transfer_api main script, but adds to
>>> required arguments for ENDPOINT_NAME (which needs to be quoted in
>>> case it contains a #) and the path to an X509 credential or proxy.
>>>
>>> It's on my todo list to improve the option parsing and support a
>>> config file so the options don't have to be passed every time.
>>>
>>> -Bryce
>>>
>>> On Wed, 01 Feb 2012 10:40:05 -0500
>>> Maxim Potekhin<potekhin at bnl.gov>   wrote:
>>>> Thank Bryce. I find the process fairly hard to understand and
>>>> follow in detail.
>>>> Let's say I have a X509 proxy (or cert) which I previously supplied
>>>> to Globus Online.
>>>> It would be fantastic to have  a method that would simply take a
>>>> path to that proxy and
>>>> do the activation. Or does delegate_proxy_activate.py do exactly
>>>> that?
>>>>
>>>> In the example that you link to, the delegate_proxy_activate.py --
>>>> is that enough or should I follow the rest of the e-mail as in
>>>> instruction?
>>>>
>>>> Thanks
>>>>
>>>> Maxim
>>>>
>>>>
>>>> On 2/1/2012 10:32 AM, Bryce Allen wrote:
>>>>> There's an example of how to do this from Python on github (it's
>>>>> just not part of the PyPI package):
>>>>>
>>>>> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
>>>>>
>>>>> This RFC for how this works is still accurate except that there is
>>>>> no 'public_key_expires' field:
>>>>> https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
>>>>>
>>>>> The key field that needs to be sent in the activation requirements
>>>>> is the proxy_chain. It's a proxy certificate using the public key
>>>>> sent by the server, signed by the users credential, together with
>>>>> the user certificate and any other certificates in the chain. It's
>>>>> non trivial to construct - see the 'create_proxy' function in the
>>>>> main client file:
>>>>> https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
>>>>>
>>>>> The filled in requirements will look something like this:
>>>>>
>>>>> {
>>>>>      "DATA_TYPE": "activation_requirements",
>>>>>      "DATA": [
>>>>>         {
>>>>>          "name": "proxy_chain",
>>>>>          "DATA_TYPE": "activation_requirement",
>>>>>          "value": " "-----BEGIN
>>>>>          CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
>>>>>          CERTIFICATE-----\n-----BEGIN
>>>>>          CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
>>>>>          CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
>>>>> }
>>>>>
>>>>> It may include additional (unused) activation requirements in the
>>>>> DATA list, and other fields that were part of the original
>>>>> response from the server, so you can just take the response and
>>>>> add the proxy_chain value. However those are all optional and are
>>>>> ignored anyway.
>>>>>
>>>>> Hope that helps,
>>>>> Bryce
>>>>>
>>>>> On Tue, 31 Jan 2012 23:26:20 -0500
>>>>> Maxim Potekhin<potekhin at bnl.gov>    wrote:
>>>>>> Hello,
>>>>>>
>>>>>> when I look at activation requirements, I observe that they seem
>>>>>> to be tailored to password-based auth with MyProxy server. In our
>>>>>> situation, we need cert-based auth. Is it still possible?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Maxim
>>>>>>
>>>>>> _______________________________________________
>>>>>> transfer-api mailing list
>>>>>> transfer-api at lists.globusonline.org
>>>>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> transfer-api mailing list
>>>>>> transfer-api at lists.globusonline.org
>>>>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
>>




More information about the transfer-api mailing list