[transfer-api] Can I use cert-based authentication with MyProxy?
potekhin at bnl.gov
Wed Feb 1 10:47:15 CST 2012
thanks for the note.
On 2/1/2012 11:41 AM, Bryce Allen wrote:
> What do you mean by anonymous retrieval? When using the myproxy
> activation method, you send the myproxy username/password to
> globusonline, and globusonline calls myproxy-logon with the appropriate
> myproxy server using that user/pass.
I guess I was referring to myself being unable to activate an EP on
web site, when I specified the CERN instance of MyProxy. This is the
I got on GO web site:
Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Failed to receive
credentials. ERROR from myproxy-server: "<anonymous>" not authorized by
server's default trusted_retrievers policy "<anonymous>" not authorized
by server's authorized_retrievers policy "<anonymous>" not authorized by
server's authorized_renewers policy
I haven't tried similar operation in the Python client, will probably
do... Suspect will
see the same behavior.
> The username/password are sent
> over ssl and are never stored. The short term credential returned from
> myproxy-logon is the only thing we keep, in order to perform operations
> on the user's behalf.
> Having the username/password pass through is undesirable for some, which
> is why we created delegate_proxy activation. But there is no anonymous
> retrieval that I can think of.
> Some possible workarounds:
> - Use the CLI to activate using gsissh -g (but this requires having
> globus toolkit installed on the client).
> - Modify delegate_proxy_activate.py to use the openssl command to
> create and sign the certificate instead of M2Crypto. The signing part
> is definitely doable, but I'm not sure if it's possible to create a
> proxy certificate just with the openssl command.
> Creating a proxy and signing it is a fairly complex operation - some
> tooling is needed. What do you have available on the worker nodes? Is
> running easy_install to compile M2Crypto against openssl also out of
> the question?
More information about the transfer-api