National Cancer Institute   U.S. National Institutes of Health www.cancer.gov
caBIG® Knowledge Center: A part of the Enterprise Support Network

Authentication and Authorization for Client Developers

From CaGrid

Jump to: navigation, search

Contents

A Client Developer’s Guide to Authentication on the Grid

Contributors: Bill Stephens, Justin Permar

Overview

This article focuses on Authentication for Grid client application developers. The instructions are written with the assumption that you will not be building caGrid but only need to obtain the caGrid and Globus Jar files. The code examples, written for the command line, are not specific to any client development framework in order to focus on the functionality that must be implemented rather than actual GUI code.

The credentials obtained during authentication are used to call operations of secure Grid services.

It may be helpful to read the GAARDS Overview(Grid Authentication and Authorization with Reliably Distributed Services) to understand grid security.

Grid Trust Fabric

The Grid Trust Fabric, managed by the GTS service(s) on the Grid, is an essential component of successful authentication. Each time a client connects to a service, the client and the service both check the other's credentials. Only if the client and the service mutually trust each other can communication take place. Specifically, the client must trust the certificate authority that issued the server's certificate. In addition, the server must trust the certificate authority that issued the client's certificate.

The list of certificate authorities that each client and service trusts is managed by the Grid GTS service. To successfully trust services on the Grid, a client must synchronize with the Grid's GTS service. Only then can a client use secure Grid services.

Synchronizing with the Grid's GTS

Approaches for sync'ing with the Trust Fabric are discussed in Syncing with the Trust Fabric

The quickest way to change the Grid you are using when you use a caGrid 1.1 or later distribution is to change target grids. The process of changing target Grids re-configures the caGrid distribution to use services on the chosen Grid. It also syncs against the chosen Grid's GTS service.

After successfully synchronizing with the Grid's GTS service, you can proceed to logging in to the Grid as described next.

Authentication

The process of authentication involves obtaining a username and password from your user and then verfying this information against an Identity Provider (IDP). An IDP may be a local LDAP server or, as in our example, the caGrid Training Grid Dorian service. A successful authentication will result in your process receiving a SAML assertion which verifies that the user has authenticated and is used to federate local users to the grid.

Once the SAML assertion has been obtained the client must provide it to the Identity Federation Service (IFS) to obtain grid identity, or proxy certficate, which will be used when invoking secured grid services.

For the purposes of this code we use the Training Grid Dorian service URL: 

https://dorian.training.cagrid.org:8443/wsrf/services/cagrid/Dorian

If you have not been provided with a training grid user you will need to create one.

  1. Download the GAARDS-UI
  2. Create a user account
  3. Logon to the grid to verify access.

Create Credential

import gov.nih.nci.cagrid.authentication.bean.BasicAuthenticationCredential;
import gov.nih.nci.cagrid.authentication.bean.Credential;

Credential credential = new Credential();
BasicAuthenticationCredential bac = new BasicAuthenticationCredential();
bac.setUserId(username);
bac.setPassword(password);
credential.setBasicAuthenticationCredential(bac);

Obtain SAML assertion using the AuthenticationClient

import gov.nih.nci.cagrid.authentication.client.AuthenticationClient;
import gov.nih.nci.cagrid.opensaml.SAMLAssertion;

AuthenticationClient client = new AuthenticationClient(url, credential);
SAMLAssertion saml = client.authenticate();

Obtain Grid Proxy Certificate

import gov.nih.nci.cagrid.dorian.client.IFSUserClient;
import gov.nih.nci.cagrid.dorian.ifs.bean.ProxyLifetime;
import org.globus.gsi.GlobusCredential;

// Create a IFS Client for authorization
IFSUserClient ifsClient = new IFSUserClient(url);

// Create a lifetime for the proxy, 12 hours in this case
ProxyLifetime lifetime = new ProxyLifetime();
lifetime.setHours(12);
lifetime.setMinutes(0);
lifetime.setSeconds(0);

// specify delegation, use 0 for now. 0 indicates that the credential cannot be delegated
int delegation = 0;

// obtain your proxy and save it for use in invoking grid services
GlobusCredential cred = ifsClient.createProxy(saml, lifetime, delegation);

More delegation information: Credential Delegation Service

Example Code

The attached file provides an example command line login client and a listing of Globus and caGrid Jar files required to compile and execute the example.

Grid Client and Jar Dependency List
External jars for Authorization

Input Parameters:

  1. username
  2. password

Authorization

The authorization step actually takes place when your credentials are used to access secured grid services.
Service Invocation for Client Developers

Retrieved from "https://cabig-kc.nci.nih.gov/CaGrid/KC/index.php/Authentication_and_Authorization_for_Client_Developers"
Tools/Products