Home -> Toolkit -> Docs -> Development -> 3.9.4 -> Security -> Delegation -> Developer

GT 3.9.4 Delegation Service: Developer's Guide

• Introduction
• Architecture and design overview
• Public interface
• Usage scenarios
• Tutorials
• Feature summary
• Tested platforms
• Backward compatibility summary
• Technology dependencies
• Security considerations
• Troubleshooting
• Related Documentation

Introduction

Delegation service provides API for service developers to be able to retrive a delegated credential, given the endpoint reference to the credential resource. No remote interface is provided for this functionality, but the access is through shared Java state. Also, the component provides for utility API that can be used for developing client side code to generate delegated credential and delegate it.

Architecture and design overview

This component offers an interface to accept a delegated credential, which it exposes as WS-Resources identified by an EPR which it returns to the delegator. It allows co-hosted services access to those credentials through shared Java state.

The delegation service exposes it's public key as a ResourceProperty. The public key of the DS is contained in a certificate chain for the host system (either as the EEC or a Proxy Certificate issued by the EEC), allowing the client to verify the validity of the public key. Clients of the DS delegate by binding a Proxy Certificate to the exposed public key, and then passing the Proxy Certificate to the DS via its interface.

Additionally the component allows for renewal of delegated credentials by the delegator. Other entities may subscribe in order to receive notification of renewals, allowing them to obtain the renewed credential.

This component has a Delegation Factory Service and Delegation Service. The Delegation Factory service exposes its public key as resource property. A delegate call on the factory, creates a resource in Delegation Service that represents the delegated credential. The delegate call returns a Endpoint Reference (EPR) that can be further used to refresh the credentials.

The services that are interested in the credenital, can register a listener (an object that implements org.globus.delegation.DelegationRefreshListener) with the specific resource. This does not have a remote interface and hence only services that are in the same hosting environment can register interest. The credentials are pushed to the listener anytime a refresh is done.

Public interface

The semantics and syntax of the APIs and WSDL for the component, along with descriptions of domain-specific structured interface data, can be found in the public interface guide.

Usage scenarios

Client-side scenario

• Prior to delegating, the client needs to get information about the public key of the Delegation Facory service, to be able to delegate on that. Util API to do that has been described here.
• The delegation client needs to get the public key of delegation factory service, create a delegated credential on that and then use the remote interface on the factory and delegate the credential. Util API to do all of the above is described here. The Endpoint Reference that is returned by this operation can be distributed to services that the user would like to delegate its rights to.
• The user may need to refresh the delegated credential. The onus is on the user to do this prior to expiration of the delegated credential. If not, expired credentials are garbage collected and the Endpoint Reference cannot be reused. AI that can be used to refresh is described here

Service-side scenario

This section describes the usage scenario where some service is provided with a delegated credential EPR and needs to access the credential. Typically, as a part of application the delegated credential EPR is sent to the service and and it is assumed that the delegation service is cohosted (that is runs in the same hosting environment).

The service need to create a listener object that implements org.globus.delegation.DelegationRefreshListener interface. When the listener is registered, the service checks to ensure that delegator idenity matches either the identity set in the subject object that is set as part of API or is the peer subject in the current message context. Details about the API are described here.

Upon registering the listener, the delegated credential is set on the listener. Any time the credential is refreshed, it is set on the listener.

Tutorials

[add links to any tutorials - if no tutorials, say "There are no tutorials available at this time"]

Feature summary

Features new in release 3.9.4

• Provides an interface for the delegation and renewal of credentials to a host.
• Allows for a single delegated credential to be reused across multiple service invocations (e.g. GRAM jobs)

Other Supported Features

• The Delegation Service is a new component in GT 3.9.4

Deprecated Features

• The Delegation Service is a new component in GT 3.9.4

Tested platforms

Tested Platforms for Delegation Service

• Windows XP
• Linux (Red Hat 7.3)

Backward compatibility summary

The Delegation Service is a new component in GT version 3.9.4

Technology dependencies

The Delegation Service depends on the following GT components:

• WS Authentication and Authorization Message-Level Security

The Delegation Service depends on the following 3rd party software:

• Apache Axis

Security considerations

[describe security considerations relevant for this component]

Troubleshooting

[help for common problems developers may experience]

Related Documentation

[could link to pdfs and whitepapers about protocols, etc re: the component]