Locked History Actions

OPS/FAQs/MyProxyServer

Contents

  1. Introduction
  2. Configuration
    1. YAIM variables for server-wide policies:
    2. YAIM variables for default policies to be applied on a per-credential basis:
  3. Start-up
  4. Use Cases
    1. Case 1) Upload proxy to myproxy server and renew proxy
    2. Case 2) Upload proxy to myproxy server and renew proxy without introducing passwords
    3. Case 3) Allow renewal of proxies by another entity (for very long job executions)
  5. References

Introduction

  • A typical MyProxy configuration has one dedicated myproxy-server and MyProxy clients installed on all systems. You may want to set the MYPROXY_SERVER environment variable (to the hostname of your myproxy-server) in the default user environment on your client systems.

Configuration

  • In UMD, the configuration of the myproxy-server is done via YAIM. YAIM produces /etc/myproxy-server.conf according to what was configured in site-info.def.
  • The myproxy sample policies are set up using YAIM variables consisting in space separated lists of DNs (note that the DNs should be declared between ' '. 

GRID_AUTHORIZED_RETRIEVERS="'DN1' 'DN2'"

  • There are two kinds of myproxy policies: server-wide policies and default policies to be applied on a per-credential basis. The default policies to be applied on a per-credential basis are enforced if a per-credential policy is not specified on upload (using myproxy-init or myproxy-store) and in addition to the server-wide policies. There differences will be deduced in more detail in the Use Cases section

YAIM variables for server-wide policies:

  1. GRID_AUTHORIZED_RETRIEVERS: If the client DN does not match, the client is not allowed to retrieve credentials from the server.

  2. GRID_AUTHORIZED_KEY_RETRIEVERS: This policy controls who can retrieve credentials (certificates and keys) directly from the repository using myproxy-retrieve. Clients must also match the authorized_retrievers policy. If no authorized_key_retrievers lines are specified, the server will not allow any clients to retrieve keys directly from the repository

  3. GRID_TRUSTED_RETRIEVERS: This policy controls who can retrieve credentials without further authentication. By default, clients that match authorized_retrievers must perform additional authentication (such as passphrase, PAM, or SASL) to retrieve credentials. However, authenticated clients that match both authorized_retrievers and trusted_retrievers do not need to perform additional authentication, unless the credentials are protected by a passphrase, in which case the passphrase is still required

  4. GRID_AUTHORIZED_RENEWERS: If the client DN does not match, the client is not allowed to renew the credentials previously stored by a client.

  5. GRID_TRUSTED_BROKERS: Trusted host by the MyProxy node: Resource brokers, WMS and FTS servers.

YAIM variables for default policies to be applied on a per-credential basis:

  1. GRID_DEFAULT_RETRIEVERS

  2. GRID_DEFAULT_KEY_RETRIEVERS

  3. GRID_DEFAULT_TRUSTED_RETRIEVERS

  4. GRID_DEFAULT_RENEWERS

Start-up

  • YAIM starts the myproxy daemon at configuration time. Nevertheless, it is possible to start or stop the service at any time via /etc/init.d/myproxy. The following process should be present in the myproxy server. 

myproxy-server -c /etc/myproxy-server.conf --verbose

Use Cases

Case 1) Upload proxy to myproxy server and renew proxy

  • AIM variables (to be set myproxy server site-info.def) 

GRID_AUTHORIZED_RETRIEVERS='/C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges'
  • Start VOMS proxy (default 12h) 

$ voms-proxy-init --voms dteam
Cannot find file or dir: /home/ingrid/csys/goncalo/.glite/vomses
Enter GRID pass phrase:
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Creating temporary proxy ................................................ Done
Contacting  lcg-voms.cern.ch:15004
 "dteam" Done
Creating proxy ............................. Done
Your proxy is valid until Thu Jun 24 23:11:51 2010

  • Store credential in MyProxy server 

$ myproxy-init -d -s px01.ncg.ingrid.pt
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Enter GRID pass phrase for this identity:
Creating proxy ............................................. Done
Proxy Verify OK
Your proxy is valid until: Thu Jul  1 11:12:06 2010
Enter
 pass phrase:
Verifying - Enter
 pass phrase:
A proxy valid for 168 hours (7.0 days) for user /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges now  exists on px01.ncg.ingrid.pt.
  • Retrieve a new proxy with 8 hours instead of 12 

$ myproxy-logon -d -t 8 --voms dteam -s px01.ncg.ingrid.pt
Enter
 pass phrase:
Cannot find file or dir: /home/ingrid/csys/goncalo/.glite/vomses
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy/CN=proxy/CN=proxy
Creating temporary proxy .......................................................................................................... Done
Contacting  voms.cern.ch:15004
 "dteam" Done
Creating proxy ........................................................ Done
Your proxy is valid until Thu Jun 24 19:13:10 2010
A credential has been received for user /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges in /tmp/x509up_u500.
  • Confirm that the new proxy has 8 hours left 

$ voms-proxy-info --all
subject   : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy/CN=proxy/CN=proxy/CN=proxy
issuer    : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy/CN=proxy/CN=proxy
identity  : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy/CN=proxy/CN=proxy
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u500
timeleft  : 7:57:19
=== VO dteam extension information ===
VO        : dteam
subject   : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/swe/Role=NULL/Capability=NULL
attribute : /dteam/swe/lip/Role=NULL/Capability=NULL
timeleft  : 7:57:19
uri       : voms.cern.ch:15004

Case 2) Upload proxy to myproxy server and renew proxy without introducing passwords

  • YAIM variables (to be set myproxy server site-info.def) 

GRID_AUTHORIZED_RETRIEVERS='/C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges'
GRID_TRUSTED_RETRIEVERS='/C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges'
  • Start VOMS proxy (default 12h) 

$ voms-proxy-init --voms dteam
Cannot find file or dir: /home/ingrid/csys/goncalo/.glite/vomses
Enter GRID pass phrase:
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Creating temporary proxy ................ Done
Contacting  lcg-voms.cern.ch:15004
 "dteam" Done
Creating proxy .......................................................... Done
Your proxy is valid until Thu Jun 24 23:36:00 2010

  • Store credential in MyProxy server (note the "-n" option) 

$ myproxy-init -d -n -s px01.ncg.ingrid.pt
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Enter GRID pass phrase for this identity:
Creating proxy ............................................................. Done
Proxy Verify OK
Your proxy is valid until: Thu Jul  1 11:37:24 2010
A proxy valid for 168 hours (7.0 days) for user /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges now exists on px01.ncg.ingrid.pt.
  • Retrieve a new proxy with 8 hours instead of 12 (note the "-n" option and that no passwords are requested) 

$ myproxy-logon -d -n -t 2 --voms dteam -s px01.ncg.ingrid.pt
Cannot find file or dir: /home/ingrid/csys/goncalo/.glite/vomses
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy/CN=proxy/CN=proxy
Creating temporary proxy .................................................................................... Done
Contacting  lcg-voms.cern.ch:15004
 "dteam" Done
Creating proxy ............................................. Done
Your proxy is valid until Thu Jun 24 13:36:40 2010
A credential has been received for user /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges in /tmp/x509up_u500.

Case 3) Allow renewal of proxies by another entity (for very long job executions)

  • YAIM variables for WMS renewals (to be set myproxy server site-info.def) 

GRID_AUTHORIZED_RENEWERS='/C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=wms01.ncg.ingrid.pt'"
  • Start VOMS proxy (default 12h) 

$ voms-proxy-init --voms dteam
Cannot find file or dir: /home/ingrid/csys/goncalo/.glite/vomses
Enter GRID pass phrase:
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Creating temporary proxy ................ Done
Contacting  lcg-voms.cern.ch:15004
 "dteam" Done
Creating proxy .......................................................... Done
Your proxy is valid until Thu Jun 24 23:36:00 2010

  • Store credential in MyProxy server (note the "-n" option) 

$ myproxy-init -d -n -s px01.ncg.ingrid.pt
Your identity: /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
Enter GRID pass phrase for this identity:
Creating proxy ............................................................. Done
Proxy Verify OK
Your proxy is valid until: Thu Jul  1 11:37:24 2010
A proxy valid for 168 hours (7.0 days) for user /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges now exists on px01.ncg.ingrid.pt.
  • The Proxy renewals will then be executed by WMS, as long as in the job JDL on has 

MyProxyServer="px01.ncg.ingrid.pt"

References

  1. My Proxy Manual: http://grid.ncsa.illinois.edu/myproxy/authorization.html

  2. My Proxy Guide: http://www.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html

  3. myproxy-server.config(5) man page: http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html

  4. PX server YAIM variables: https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#site_info_def

INDEX

No Pages to show

last edited 2013-07-11 16:51:04 by goncalo