Menu
▾
▴
gridsam-discuss
|
From: dejw <de...@ma...> - 2006-11-21 10:03:58
|
Hi, I am interesting to provide portal access to the GridSAM service. I have ready working client. I'm using omii stuff with keystore to create SSL connection between portal and service. The question is how to recognize each portal user in GridSAM service - I mean how to authenticate and authorize them. Because now every user can use portal access without restriction because GridSAM server can see only client with given keystore. What option do I have? Can I send for example user DN and resolve it on the server side? something like GSI where I can provide user's proxy credentials? Maybe I should use some omii server technology? I saw there some account service or something? Best Regards, Dawid Szejnfeld, PSNC |
|
From: A.S.McGough <as...@do...> - 2006-11-21 18:24:53
|
Dear Dawid, Unfortunately Vesso who would know more about the security side is on holiday at the moment, so I'll try to answer as best I can. GridSAM supports communication to the service through HTTPS - I'm assuming that this is what you are using at the moment? It also supports the use of WS-Security - which will allow you to use user certificates when submitting jobs. This will allow you to perform user Authentication and Authorisation. As for how to enable WS-Security if you look in the old archive of this list I beleve William Lee explained this. Hope this is of help - if not feel free to get back in touch, steve.. dejw wrote: > Hi, > > I am interesting to provide portal access to the GridSAM service. I have > ready working client. I'm using omii stuff with keystore to create SSL > connection between portal and service. The question is how to recognize > each portal user in GridSAM service - I mean how to authenticate and > authorize them. Because now every user can use portal access without > restriction because GridSAM server can see only client with given > keystore. What option do I have? Can I send for example user DN and > resolve it on the server side? something like GSI where I can provide > user's proxy credentials? Maybe I should use some omii server > technology? I saw there some account service or something? > > Best Regards, > Dawid Szejnfeld, PSNC > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > GridSAM-Discuss mailing list > Gri...@li... > https://lists.sourceforge.net/lists/listinfo/gridsam-discuss > -- ------------------------------------------------------------------------ Dr A. Stephen McGough http://www.doc.ic.ac.uk/~asm ------------------------------------------------------------------------ Technical Coordinator, London e-Science Centre, Imperial College London, Department of Computing, 180 Queen's Gate, London SW7 2BZ, UK tel: +44 (0)207-594-8409 fax: +44 (0)207-581-8024 ------------------------------------------------------------------------ |
|
From: dejw <de...@ma...> - 2006-11-22 08:34:45
|
Hi Steve, thanks for replay, I didn't find any William Lee message concerning WS-Security. Have you any exmaples of codes or something? How to use=20 gridsam API and use WS-Security with it? I wonder if I can use maybe globus proxy certificate inside WM-Security somehow. I would like to try to do this, what do you think? So I should wait until Vesso will be available ? Dawid A.S.McGough napisa=B3(a): > Dear Dawid, > > Unfortunately Vesso who would know more about the security side is on > holiday at the moment, so I'll try to answer as best I can. > > GridSAM supports communication to the service through HTTPS - I'm > assuming that this is what you are using at the moment? It also > supports the use of WS-Security - which will allow you to use user > certificates when submitting jobs. This will allow you to perform user > Authentication and Authorisation. > > As for how to enable WS-Security if you look in the old archive of > this list I beleve William Lee explained this. > > Hope this is of help - if not feel free to get back in touch, > > steve.. > > dejw wrote: >> Hi, >> >> I am interesting to provide portal access to the GridSAM service. I ha= ve >> ready working client. I'm using omii stuff with keystore to create SSL >> connection between portal and service. The question is how to recogniz= e >> each portal user in GridSAM service - I mean how to authenticate and >> authorize them. Because now every user can use portal access without >> restriction because GridSAM server can see only client with given >> keystore. What option do I have? Can I send for example user DN and >> resolve it on the server side? something like GSI where I can provid= e >> user's proxy credentials? Maybe I should use some omii server >> technology? I saw there some account service or something? >> >> Best Regards, >> Dawid Szejnfeld, PSNC >> >> >> ----------------------------------------------------------------------= --- >> >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID= =3DDEVDEV >> >> _______________________________________________ >> GridSAM-Discuss mailing list >> Gri...@li... >> https://lists.sourceforge.net/lists/listinfo/gridsam-discuss >> =20 > > |
|
From: Garry S. <gar...@co...> - 2006-11-22 11:19:04
|
Hi Dawid, >The question is how to recognize >each portal user in GridSAM service - I mean how to authenticate and >authorize them. Because now every user can use portal access without >restriction because GridSAM server can see only client with given >keystore. What option do I have? Can I send for example user DN and >resolve it on the server side? something like GSI where I can provide >user's proxy credentials? Maybe I should use some omii server >technology? I saw there some account service or something? > I normally include the myproxy element in the JSDL and insert the user's DN into the GridSAM's authorization.xml. See the following link http://gridsam.sourceforge.net/1.1/deploymentguide/auth.html regards Garry dejw wrote: >Hi Steve, > >thanks for replay, I didn't find any William Lee message concerning >WS-Security. Have you any exmaples of codes or something? How to use >gridsam API and use WS-Security with it? I wonder if I can use maybe >globus proxy certificate inside WM-Security somehow. I would like to try >to do this, what do you think? So I should wait until Vesso will be >available ? > >Dawid > > >A.S.McGough napisał(a): > > >>Dear Dawid, >> >>Unfortunately Vesso who would know more about the security side is on >>holiday at the moment, so I'll try to answer as best I can. >> >>GridSAM supports communication to the service through HTTPS - I'm >>assuming that this is what you are using at the moment? It also >>supports the use of WS-Security - which will allow you to use user >>certificates when submitting jobs. This will allow you to perform user >>Authentication and Authorisation. >> >>As for how to enable WS-Security if you look in the old archive of >>this list I beleve William Lee explained this. >> >>Hope this is of help - if not feel free to get back in touch, >> >>steve.. >> >>dejw wrote: >> >> >>>Hi, >>> >>>I am interesting to provide portal access to the GridSAM service. I have >>>ready working client. I'm using omii stuff with keystore to create SSL >>>connection between portal and service. The question is how to recognize >>>each portal user in GridSAM service - I mean how to authenticate and >>>authorize them. Because now every user can use portal access without >>>restriction because GridSAM server can see only client with given >>>keystore. What option do I have? Can I send for example user DN and >>>resolve it on the server side? something like GSI where I can provide >>>user's proxy credentials? Maybe I should use some omii server >>>technology? I saw there some account service or something? >>> >>>Best Regards, >>>Dawid Szejnfeld, PSNC >>> >>> >>>------------------------------------------------------------------------- >>> >>>Take Surveys. Earn Cash. Influence the Future of IT >>>Join SourceForge.net's Techsay panel and you'll get the chance to >>>share your >>>opinions on IT & business topics through brief surveys - and earn cash >>>http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>> >>>_______________________________________________ >>>GridSAM-Discuss mailing list >>>Gri...@li... >>>https://lists.sourceforge.net/lists/listinfo/gridsam-discuss >>> >>> >>> >> >> > > > >------------------------------------------------------------------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys - and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >GridSAM-Discuss mailing list >Gri...@li... >https://lists.sourceforge.net/lists/listinfo/gridsam-discuss > > > > |
|
From: Garry S. <gar...@co...> - 2006-11-22 12:07:29
|
Hi Dawid, > > I did some experiment - I changed in authorization.xml deny and allow > rules to <false/>. So I understad that nobody should be able to submit > jobs? > But after I changed this and restart server I still can submit jobs. > So maybe I have something wrong with my configuration? It works for you? Yes I had this working. Check the file at http://acet.rdg.ac.uk/~gms/authorisation.xml I remember experiencing some problems so kept the badguys group defined. Don't quite remember what the issue was now. > > And the question about this authorization mechanism: > > What is taken into account? The principle DN from the keystore used to > create connection between client and server? or the DN is taken from > user's globus proxy? Should be the DN from user's globus proxy. Garry |
|
From: dejw <de...@ma...> - 2006-11-22 12:32:50
|
Hi Garry, thanks for this, I used your authorisation.xml without changes and ... it doesn't work for me ! :) I don't understand this. I can still submit jobs, even when I use /bin/sleep and I have other DN than in your file. Should I change the GridSAM configuration somwhere else? It is weird. Dawid Garry Smith napisa=B3(a): > Hi Dawid, > > =20 >> I did some experiment - I changed in authorization.xml deny and allow=20 >> rules to <false/>. So I understad that nobody should be able to submit= =20 >> jobs? >> But after I changed this and restart server I still can submit jobs.=20 >> So maybe I have something wrong with my configuration? It works for yo= u? >> =20 > > Yes I had this working. Check the file at=20 > http://acet.rdg.ac.uk/~gms/authorisation.xml > I remember experiencing some problems so kept the badguys group defined= .=20 > Don't quite remember what the issue was now. > > =20 >> And the question about this authorization mechanism: >> >> What is taken into account? The principle DN from the keystore used to= =20 >> create connection between client and server? or the DN is taken from=20 >> user's globus proxy? >> =20 > > Should be the DN from user's globus proxy. > > Garry > > > -----------------------------------------------------------------------= -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share= your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > _______________________________________________ > GridSAM-Discuss mailing list > Gri...@li... > https://lists.sourceforge.net/lists/listinfo/gridsam-discuss > =20 |
|
From: dejw <de...@ma...> - 2006-11-22 11:54:59
|
Hi Garry, I did some experiment - I changed in authorization.xml deny and allow rules to <false/>. So I understad that nobody should be able to submit jo= bs? But after I changed this and restart server I still can submit jobs. So maybe I have something wrong with my configuration? It works for you? And the question about this authorization mechanism: What is taken into account? The principle DN from the keystore used to create connection between client and server? or the DN is taken from user's globus proxy? But what if the target system is not globus based? fork, condor or something? then if you have information about myproxy server where user stores its credentials its useless? Or maybe it is used by GridSAM internally to check user's DN and authorize him without bothering about what is below GridSAM service (i.e. fork, condor etc.) ? Dawid Garry Smith napisa=B3(a): > Hi Dawid, > > =20 >> The question is how to recognize >> each portal user in GridSAM service - I mean how to authenticate and >> authorize them. Because now every user can use portal access without >> restriction because GridSAM server can see only client with given >> keystore. What option do I have? Can I send for example user DN and >> resolve it on the server side? something like GSI where I can provid= e >> user's proxy credentials? Maybe I should use some omii server >> technology? I saw there some account service or something? >> >> =20 > I normally include the myproxy element in the JSDL and insert the user'= s=20 > DN into the GridSAM's authorization.xml. See the following link > > http://gridsam.sourceforge.net/1.1/deploymentguide/auth.html > > regards > Garry > > > > dejw wrote: > > =20 >> Hi Steve, >> >> thanks for replay, I didn't find any William Lee message concerning >> WS-Security. Have you any exmaples of codes or something? How to use=20 >> gridsam API and use WS-Security with it? I wonder if I can use maybe >> globus proxy certificate inside WM-Security somehow. I would like to t= ry >> to do this, what do you think? So I should wait until Vesso will be >> available ? >> >> Dawid >> >> >> A.S.McGough napisa=B3(a): >> =20 >> >> =20 >>> Dear Dawid, >>> >>> Unfortunately Vesso who would know more about the security side is on >>> holiday at the moment, so I'll try to answer as best I can. >>> >>> GridSAM supports communication to the service through HTTPS - I'm >>> assuming that this is what you are using at the moment? It also >>> supports the use of WS-Security - which will allow you to use user >>> certificates when submitting jobs. This will allow you to perform use= r >>> Authentication and Authorisation. >>> >>> As for how to enable WS-Security if you look in the old archive of >>> this list I beleve William Lee explained this. >>> >>> Hope this is of help - if not feel free to get back in touch, >>> >>> steve.. >>> >>> dejw wrote: >>> =20 >>> >>> =20 >>>> Hi, >>>> >>>> I am interesting to provide portal access to the GridSAM service. I = have >>>> ready working client. I'm using omii stuff with keystore to create S= SL >>>> connection between portal and service. The question is how to recogn= ize >>>> each portal user in GridSAM service - I mean how to authenticate and >>>> authorize them. Because now every user can use portal access without >>>> restriction because GridSAM server can see only client with given >>>> keystore. What option do I have? Can I send for example user DN and >>>> resolve it on the server side? something like GSI where I can prov= ide >>>> user's proxy credentials? Maybe I should use some omii server >>>> technology? I saw there some account service or something? >>>> >>>> Best Regards, >>>> Dawid Szejnfeld, PSNC >>>> >>>> >>>> --------------------------------------------------------------------= ----- >>>> >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>> share your >>>> opinions on IT & business topics through brief surveys - and earn ca= sh >>>> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&C= ID=3DDEVDEV >>>> >>>> _______________________________________________ >>>> GridSAM-Discuss mailing list >>>> Gri...@li... >>>> https://lists.sourceforge.net/lists/listinfo/gridsam-discuss >>>> =20 >>>> =20 >>>> >>>> =20 >>> =20 >>> >>> =20 >> >> ----------------------------------------------------------------------= --- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to shar= e your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID= =3DDEVDEV >> _______________________________________________ >> GridSAM-Discuss mailing list >> Gri...@li... >> https://lists.sourceforge.net/lists/listinfo/gridsam-discuss >> >> >> =20 >> >> =20 > > > -----------------------------------------------------------------------= -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share= your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > _______________________________________________ > GridSAM-Discuss mailing list > Gri...@li... > https://lists.sourceforge.net/lists/listinfo/gridsam-discuss > =20 |
|
From: dejw <de...@ma...> - 2007-05-18 11:59:36
|
Hi, simple question - which version of BES is implemented within GridSAM? the latest v33 ? Regards, Dawid Szejnfeld |
|
From: Vesselin N. <ve...@do...> - 2007-05-21 17:00:38
|
dejw wrote: >Hi, > >simple question - which version of BES is implemented within GridSAM? >the latest v33 ? > > No. The BES version supported in GridSAM is the one finalized for the HPCProfile demo at SuperComputing'06 in Tampa, FL in November 2006. >Regards, >Dawid Szejnfeld > > >------------------------------------------------------------------------- >This SF.net email is sponsored by DB2 Express >Download DB2 Express C - the FREE version of DB2 express and take >control of your XML. No limits. Just data. Click to get it now. >http://sourceforge.net/powerbar/db2/ >_______________________________________________ >GridSAM-Discuss mailing list >Gri...@li... >https://lists.sourceforge.net/lists/listinfo/gridsam-discuss > > |
Thanks for helping keep SourceForge clean.
X