Bugzilla – Bug 6882
VOMS extension in MyProxy server
Last modified: 2010-03-09 17:09:00
You need to log in before you can comment on or make changes to this bug.
Dear Jim, and Folks, We have extended MyProxy server for VOMS extension. It allows us to avoid VOMS libraries and command on the client-side. In the current MyProxy implementation, myproxy-logon supports --voms option in order to retrieve VOMS extension in the proxy certificate. However, it just executes voms-proxy-init command on the client. And CoG JGlobus does not support this functionality. We have extended MyProxy Get COMMAND message for VOMS attribute requests, and extended CoG JGlobus library to send new message. Patch for MyProxy 4.9 http://files.geogrid.org/users/naotaka/myproxy-4.9-voms.patch This patch includes updated configure script. Please re-generate configure script via bootstrap command. Patched MyProxy 4.9 http://files.geogrid.org/users/naotaka/myproxy-4.9-VOMS1.tar.gz Patch for CoG JGlobus http://files.geogrid.org/users/naotaka/cog-jglobus-1.7.0-voms.patch Recently, we have not implemented C-API for new Get message, yet. regards, - Naotaka
Naotaka, thank you for this contribution. I'll review it as soon as possible.
I found the problem in the previous patch which cannot handle proxy certificate stored in MyProxy repository. The previous patch only works for EE stored in MyProxy repository via 'myproxy-store' command. The reson is for VOMS verification API does not support proxy certificate, so we fond voms-proxy-init command does not verify a varidity of VOMS extension. Therefore, in order to support proxy certificate, when using proxy certificate, verification will be skipped. Of course, when EE is used, MyProxy will verify VOMS extension. New patch and whole tar ball are available on http://files.geogrid.org/users/naotaka/myproxy-4.9-voms2.patch http://files.geogrid.org/users/naotaka/myproxy-4.9-VOMS2.tar.gz This patch includes previous one, it works for MyProxy version 4.9. I'm sorry for this mistake. best regards, - Naotaka
Thanks very much Naotaka. I'll work on it when I return from vacation January 4. On 12/21/09 10:21 PM, Naotaka YAMAMOTO wrote: > Dear Jim, > > We have implemented the patch using globus_gsi_proxy_handle_set_extensions() > instead of our ssl functions. So then, we could support all types of Proxies. > You may see our patch and whole tar ball at > http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-4.9-VOMS3.tar.gz > http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-4.9-voms3.patch > > We have tested it with GT 4.2.1 and VOMS 1.8.8 from source code. > # GT from http://www.globus.org/toolkit/ > # We got VOMS source code from cvs repository: > # cvs -d:pserver:anonymous@jra1mw.cvs.cern.ch:/cvs/jra1mw co -r glite-security-voms_R_1_8_8 org.glite.security.voms > > It is still based on MyProxy 4.9, but I will send you the most recent patch for MyProxy 5.0 soon. > > Thank you in advance, > > - Naotaka
We have updated a patch for MyProxy 5.0 http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-5.0-VOMS1.tar.gz http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-5.0-voms.patch best regards,
I have committed the patch to CVS: http://lists.globus.org/pipermail/myproxy-commit/2010-January/000333.html It should appear in MyProxy v5.1. Thanks!
Thank you Jim for committing the patch to CVS! BTW, it can not work without modified client. For this purpose, we have implemented Java client in CoG which allows us to generate VOMS-enabled proxy certificate from a stored credential in MyProxy repository. A patch is here: http://files.geogrid.org/users/naotaka/cog-jglobus-1.7.0-voms.patch (no-changes from the first message) Could you include it to the next cog release? ps. Furthermore, we are developing C-API and CLI. regards,
Yes, I'll look at the jglobus patch next. By the way, you sent some documentation to me by email as part of our discussion of the implementation. Do you have any updates to the documentation? Any documentation I could add (or link to) on the MyProxy web site would be great. For example, we should update http://myproxy.ncsa.uiuc.edu/protocol to document the new VOMS parameters. Also, do you know what VOMS version is required to work with the myproxy-server patch? The newformat.h header is new to me, so I wonder if that changes our VOMS version requirement and if we should be adding any additional checks in the MyProxy configure script for the VOMS version. I know you tested with VOMS 1.8.8, but do you know if it's OK with other VOMS versions? (I also plan to do some more testing of my own.)
(In reply to comment #7) > Yes, I'll look at the jglobus patch next. Thank you > > By the way, you sent some documentation to me by email as part of our > discussion of the implementation. Do you have any updates to the documentation? > Any documentation I could add (or link to) on the MyProxy web site would be > great. For example, we should update http://myproxy.ncsa.uiuc.edu/protocol to > document the new VOMS parameters. > Not yet, but I would like to update documents. I think we must update protocol document and server configuration. - Protocol: http://grid.ncsa.illinois.edu/myproxy/protocol/ - http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html How can I give you patch or update document? Also, I would like to update VOMS instruction page: http://grid.ncsa.illinois.edu/myproxy/voms/ > Also, do you know what VOMS version is required to work with the myproxy-server > patch? The newformat.h header is new to me, so I wonder if that changes our > VOMS version requirement and if we should be adding any additional checks in > the MyProxy configure script for the VOMS version. I know you tested with VOMS > 1.8.8, but do you know if it's OK with other VOMS versions? (I also plan to do > some more testing of my own.) Sorry, I'm not sure now. At least, newformat.h exists in glite-security-voms_R_1_2_18 tag in CVS. It might be voms version 1.2.18, but we have never tested with such older version. We will also test with other versions. I forgot to mention about dependency (but we discussed in e-mail exchange). globus_gsi_proxy_handle_set_extensions() function is new in GT 4.2, it does not exist in GT 4.0. This patch does not work with GT 4.0 but configure script can detect these version. # for GT4.0 patch will be released our own website.
Thanks for offering to help with documentation updates. It's much appreciated. Patches are fine. You can checkout the web site from CVS via: cvs -d ':pserver:anonymous@cvs.ncsa.uiuc.edu:/CVS/myproxy' co myproxy-web Alternatively, if you'd like to become a MyProxy Committer, I'd be happy for you to have direct CVS write access. In that case, the first thing I need to know is your sourceforge.net username. I see that VDT 2.0.0 has VOMS 1.8.8, so that's likely the most important version for us in any case. Also it looks like Fedora has VOMS 1.9. I added an AC_CHECK_HEADER(newformat.h) to configure.in. Hopefully that will cover it. Yes, we should remember to document this feature's dependency on GT 4.2+, implemented by the check for globus_gsi_proxy_handle_set_extensions() in configure.in.
(In reply to comment #4) > We have updated a patch for MyProxy 5.0 > > http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-5.0-VOMS1.tar.gz > http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-5.0-voms.patch > > best regards, We have updated a patch on http://files.geogrid.org/devel/MyProxy-VOMS/myproxy-5.0-voms2.patch because the previous patch does not work with VOMS 1.9. In VOMS 1.9.14 (cvs tag: glite-security-voms_R_1_9_14_3), sk_AC_insert has been removed. Then we use sk_AC_push instead of sk_AC_insert. - if (! sk_AC_insert(acseq->acs, ac, -1) ) { - verror_put_string("sk_AC_insert failed"); + if (! sk_AC_push(acseq->acs, ac) ) { + verror_put_string("sk_AC_push failed"); Also, we have tested with VOMS 1.8.11 (glite-security-voms_R_1_8_12_1). # I'm not sure, cvs tag name looks like version 1.8.12, but configure script # has version of 1.8.11 regards,
(In reply to comment #9) > Thanks for offering to help with documentation updates. It's much appreciated. > Patches are fine. You can checkout the web site from CVS via: > > cvs -d ':pserver:anonymous@cvs.ncsa.uiuc.edu:/CVS/myproxy' co myproxy-web > Thank you. I have checked out these files and I'm writing patches. However, I could not find the original files for manpage. Do you use docbook or something in order to generate manual pages? > Alternatively, if you'd like to become a MyProxy Committer, I'd be happy for > you to have direct CVS write access. In that case, the first thing I need to > know is your sourceforge.net username. > Of course, yes. I would like to be a MyProxy Committer. I will give you my username. > I see that VDT 2.0.0 has VOMS 1.8.8, so that's likely the most important > version for us in any case. Also it looks like Fedora has VOMS 1.9. I added an > AC_CHECK_HEADER(newformat.h) to configure.in. Hopefully that will cover it. > As mention before, we have tested with the latest of version 1.8 and 1.9. However, we gave up to use VOMS 1.7.x because we could not compile VOMS 1.7 with VDT globus. regards,
(In reply to comment #11) > However, I could not find the original files for manpage. Do you use > docbook or something in order to generate manual pages? The source for the man pages is in the man subdirectory of the myproxy module: http://cilogon.cvs.sourceforge.net/viewvc/cilogon/myproxy/man/ I generate the HTML versions using man2html (see the make_html script).
(In reply to comment #12) > (In reply to comment #11) > > However, I could not find the original files for manpage. Do you use > > docbook or something in order to generate manual pages? > > The source for the man pages is in the man subdirectory of the myproxy module: > > http://cilogon.cvs.sourceforge.net/viewvc/cilogon/myproxy/man/ > Thank you. I'll modify it. > I generate the HTML versions using man2html (see the make_html script). I see. I also found comments in HTML files.
(In reply to comment #10) > In VOMS 1.9.14 (cvs tag: glite-security-voms_R_1_9_14_3), > sk_AC_insert has been removed. Then we use sk_AC_push > instead of sk_AC_insert. I committed this change: http://lists.globus.org/pipermail/myproxy-commit/2010-January/000343.html
(In reply to comment #14) > (In reply to comment #10) > > In VOMS 1.9.14 (cvs tag: glite-security-voms_R_1_9_14_3), > > sk_AC_insert has been removed. Then we use sk_AC_push > > instead of sk_AC_insert. > > I committed this change: > http://lists.globus.org/pipermail/myproxy-commit/2010-January/000343.html Thank you, Jim, I also committed logging function. - Naotaka
Naotaka, I expect to release MyProxy v5.1 with this functionality next week. I just added an allow_voms_attribute_requests option for myproxy-server.config to enable/disable this functionality: http://lists.globus.org/pipermail/myproxy-commit/2010-March/000388.html I like to make the myproxy-server conservative about enabling functionality, to allow the administrator to only enable those features that are desired. I hope you don't find it inconvenient to set this additional option.
(In reply to comment #16) > Naotaka, I expect to release MyProxy v5.1 with this functionality next week. I > just added an allow_voms_attribute_requests option for myproxy-server.config to > enable/disable this functionality: > > http://lists.globus.org/pipermail/myproxy-commit/2010-March/000388.html > > I like to make the myproxy-server conservative about enabling functionality, to > allow the administrator to only enable those features that are desired. I hope > you don't find it inconvenient to set this additional option. I agree with you. No problem.
MyProxy 5.1 released today.
