[Pgi-wg] Sec: Agreement on attribute transportmechanismsforAttrAuthZ
Moreno Marzolla
moreno.marzolla at pd.infn.it
Fri Mar 20 09:25:12 CDT 2009
m.riedel at fz-juelich.de wrote:
> Hi,
>
>> - The gLite CREAM CE can be accessed either with pure TLS (X509
> certificate) or using GSI (proxy-based) authentication. I think that
> the same holds for other gLite components as well.
>
>
> So your service can work w/o proxies? Maybe for the initial AuthN yes
> - but for further use I guess you require a proxy for forwarding to
> CREAM or so?!
You can invoke any CREAM operation using either a plain X509
certificate, or a proxy certificate. In either case you can use the
service without problems. HOWEVER, in order to submit a job you NEED to
delegate a proxy to CREAM by first invoking the delegation port-type.
Once you have delegated a proxy, you can create/cancel/monitor your jobs
with plain X509 certificates.
Note that in order to contact the delegation port-type you can use
either an X509 certificate, or a proxy certificate.
So, a client with *only* an X509 certificate can perform any operation
on CREAM, PROVIDED that FIRST it delegates its credential to CREAM by
performing a delegation operation. A client with a delegated proxy can
also execute any operation on CREAM, provided that it further delegates
its credentials to CREAM.
This is the problem you mentioned which we experienced during the
OMII-EU project: BES clients were not executing the delegation
operation, so the service did not have any delegated credentials to use.
We then implemented a horrible workaround in CREAM which was fine for
demonstration purposes, but unfortunately can not be applied for any
real use.
Moreno
--
Moreno Marzolla
INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy
EMail: moreno.marzolla at pd.infn.it Phone: +39 049 8277103
WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233
More information about the Pgi-wg
mailing list