Hello all,
We are using VOMS credential to access Globus services like RFT, GRAM
etc.
For this, we have installed VOMS server, VOMS client. And the VOMS
interceptor is deployed in the Globus container.
After this, we were able to succesfully invoke our own service
'DeployService' whose security config file and wsdd file has been attached.
Here grid-map authz. has been disabled and authZ. value points to VOMS PDP
and PIP. So the global grid-map need not have an entry for the client DN
through which the service is invoked.Then we are trying RFT service similarly.(Only ReliableFileTransferService is configured to use VOMS PDP and PIP and grid-map authZ. is disabled). But here, the transfer happens successfully only if the global grid-mapfile has an entry for the client DN. If the entry is absent it gives the following error: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soapenv:Body><soapenv :Fault><faultcode>soapenv:Server.userException</faultcode><faultstring>org.g lobus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service</faultstring><detail><ns1:stackTrace xmlns:ns1="http://xml.apache.org/axis/";>org.globus.wsrf.impl.security.author ization.exceptions.AuthorizationException: "/C=IN/O=C-DAC KP Bangalore/OU=CTSF/OU=ctsf.cdac.org.in/CN=kakolis" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:301) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:272) at org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain.author ize(ServiceAuthorizationChain.java:235) at org.globus.wsrf.impl.security.authorization.AuthorizationHandler.invoke(Auth orizationHandler.java:177) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java: 32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248) at org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664) at org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382) at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291) </ns1:stackTrace><ns2:hostname xmlns:ns2="http://xml.apache.org/axis/";>sukeshini.cdacb.ernet.in</ns2:hostna me></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope> My guess is that RFT may actually be invoking other services which may be referring to the original grid--map. Then my query is : What other services are actually involved? Has anyone configured Globus RFTservice to use PDP and PIP instead of gridmap authZ.? Thanks & Regards, Kakoli ________________________________________________________________________ KAKOLI SEN Ph:91-80-25341909/215(Extn. 309) C-DAC Knowledge Park E-mail: #1, Old Madras Road [EMAIL PROTECTED] Bangalore - 560 038, INDIA [EMAIL PROTECTED] ________________________________________________________________________ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
deploy-service_server-config.wsdd
Description: Binary data
<securityConfig xmlns="http://www.globus.org";> <auth-method> <GSISecureConversation/> </auth-method> <authz value="ascope:org.globus.voms.PIP bscope:org.globus.voms.PDP"/> <!--gridmap value="etc/org_vlescience_webservices_deployment/grid-mapfile"/--> </securityConfig>
