Authentication and Authorization for Client Developers
From CaGrid
Contents |
A Client Developer’s Guide to Authentication on the Grid
Contributors: Bill Stephens, Justin Permar
Overview
This article focuses on Authentication for Grid client application developers. The instructions are written with the assumption that you will not be building caGrid but only need to obtain the caGrid and Globus Jar files. The code examples, written for the command line, are not specific to any client development framework in order to focus on the functionality that must be implemented rather than actual GUI code.
The credentials obtained during authentication are used to call operations of secure Grid services.
It may be helpful to read the GAARDS Overview(Grid Authentication and Authorization with Reliably Distributed Services) to understand grid security.
Grid Trust Fabric
The Grid Trust Fabric, managed by the GTS service(s) on the Grid, is an essential component of successful authentication. Each time a client connects to a service, the client and the service both check the other's credentials. Only if the client and the service mutually trust each other can communication take place. Specifically, the client must trust the certificate authority that issued the server's certificate. In addition, the server must trust the certificate authority that issued the client's certificate.
The list of certificate authorities that each client and service trusts is managed by the Grid GTS service. To successfully trust services on the Grid, a client must synchronize with the Grid's GTS service. Only then can a client use secure Grid services.
Synchronizing with the Grid's GTS
Approaches for sync'ing with the Trust Fabric are discussed in Syncing with the Trust Fabric
The quickest way to change the Grid you are using when you use a caGrid 1.1 or later distribution is to change target grids. The process of changing target Grids re-configures the caGrid distribution to use services on the chosen Grid. It also syncs against the chosen Grid's GTS service.
After successfully synchronizing with the Grid's GTS service, you can proceed to logging in to the Grid as described next.
Authentication
The process of authentication involves obtaining a username and password from your user and then verfying this information against an Identity Provider (IDP). An IDP may be a local LDAP server or, as in our example, the caGrid Training Grid Dorian service. A successful authentication will result in your process receiving a SAML assertion which verifies that the user has authenticated and is used to federate local users to the grid.
Once the SAML assertion has been obtained the client must provide it to the Identity Federation Service (IFS) to obtain grid identity, or proxy certficate, which will be used when invoking secured grid services.
For the purposes of this code we use the Training Grid Dorian service URL:
https://dorian.training.cagrid.org:8443/wsrf/services/cagrid/Dorian
If you have not been provided with a training grid user you will need to create one.
- Download the GAARDS-UI
- Create a user account
- Logon to the grid to verify access.
Create Credential
import gov.nih.nci.cagrid.authentication.bean.BasicAuthenticationCredential; import gov.nih.nci.cagrid.authentication.bean.Credential; Credential credential = new Credential(); BasicAuthenticationCredential bac = new BasicAuthenticationCredential(); bac.setUserId(username); bac.setPassword(password); credential.setBasicAuthenticationCredential(bac);
Obtain SAML assertion using the AuthenticationClient
import gov.nih.nci.cagrid.authentication.client.AuthenticationClient; import gov.nih.nci.cagrid.opensaml.SAMLAssertion; AuthenticationClient client = new AuthenticationClient(url, credential); SAMLAssertion saml = client.authenticate();
Obtain Grid Proxy Certificate
import gov.nih.nci.cagrid.dorian.client.IFSUserClient; import gov.nih.nci.cagrid.dorian.ifs.bean.ProxyLifetime; import org.globus.gsi.GlobusCredential; // Create a IFS Client for authorization IFSUserClient ifsClient = new IFSUserClient(url); // Create a lifetime for the proxy, 12 hours in this case ProxyLifetime lifetime = new ProxyLifetime(); lifetime.setHours(12); lifetime.setMinutes(0); lifetime.setSeconds(0); // specify delegation, use 0 for now. 0 indicates that the credential cannot be delegated int delegation = 0; // obtain your proxy and save it for use in invoking grid services GlobusCredential cred = ifsClient.createProxy(saml, lifetime, delegation);
More delegation information: Credential Delegation Service
Example Code
The attached file provides an example command line login client and a listing of Globus and caGrid Jar files required to compile and execute the example.
Grid Client and Jar Dependency List
External jars for Authorization
Input Parameters:
- username
- password
Authorization
The authorization step actually takes place when your credentials are used to access secured grid services.
Service Invocation for Client Developers