[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 10:41:24 CST 2012


On Wed, 01 Feb 2012 11:25:58 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> my client will run in the cloud, there is only so much I can
> reasonably install
> on remote worker nodes, on the fly. Yum is out of question.
> 
> Is there any workaround to get auth to Globus Online?
> 
> Alternatively, is there a simple way to use MyProxy, whereby it does
> not allow anonymous retrieval? If yes, could you post a complete
What do you mean by anonymous retrieval? When using the myproxy
activation method, you send the myproxy username/password to
globusonline, and globusonline calls myproxy-logon with the appropriate
myproxy server using that user/pass. The username/password are sent
over ssl and are never stored. The short term credential returned from
myproxy-logon is the only thing we keep, in order to perform operations
on the user's behalf.

Having the username/password pass through is undesirable for some, which
is why we created delegate_proxy activation. But there is no anonymous
retrieval that I can think of.

Some possible workarounds:

- Use the CLI to activate using gsissh -g (but this requires having
  globus toolkit installed on the client).
- Modify delegate_proxy_activate.py to use the openssl command to
  create and sign the certificate instead of M2Crypto. The signing part
  is definitely doable, but I'm not sure if it's possible to create a
  proxy certificate just with the openssl command.

Creating a proxy and signing it is a fairly complex operation - some
tooling is needed. What do you have available on the worker nodes? Is
running easy_install to compile M2Crypto against openssl also out of
the question?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/2da3c379/attachment-0001.pgp>


More information about the transfer-api mailing list