Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Index
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
This component consists of two services: the delegation factory service and the delegation service.
The delegation factory service exposes its public certificate as a resource property and allows clients to delegate credentials bound to that public key. Upon delegation an Endpoint Reference(EPR) to the delegated credential, which is implemented as a resource of the delegation service, is returned to the client. The client can use this EPR to provide a reference to the delegated credential to other services.
The delegation service itself has an interface to allow refreshing the credentials remotely. Other co-hosted services can register interest in delegated credentials through listeners and be notified when credentials are refreshed.
Some relevant API:
- org.globus.delegation.DelegationUtil
- org.globus.delegation.DelegationRefreshListener
- org.globus.delegation.delegationService.DelegationPortType
- org.globus.delegation.delegationService.DelegationFactoryPortType
Complete API:
The delegation service allows for delegation of credentials and is based on the WS-Trust specification. A WSDL interface to refresh the credentials remotely is also provided. Access to these credentials is restricted to co-hosted services, i.e services that are run in the same container, and is done using shared Java state. Co-hosted services interested in the credentials can register listeners and will be notified upon credential refresh.
RequestSecurityToken: This operation allows for a security token to be sent to the service.
All operations on delegation service and delegation factory
service throw RemoteException in case of failure.
Please see the Delegation Service Command Reference.
The security settings for Delegation Factory Service and Delegation Service can be configured by modifying the security descriptors. The descriptors allow for configuring the credentials that will be used by the services and the type of authentication and message protection required, as well as the authorization mechanism.
By default, the following configuration is installed:
Delegation Factory Service:
- Credentials are determined by the container level security descriptor. If there is no container level security descriptor or if it does not specify what credentials to use then default credentials are used.
- Authentication and message integrity protection is enforced for the
requestSecurityTokenoperation. Other operations do not require authentication. This means that you may use any of GSI Transport, GSI Secure Message or GSI Secure Conversation when invoking therequestSecurityTokenoperation on the delegation factory service. - Access is authorized using the grid map mechanism and no grid map is configured in the service by default. If a grid map is configured in the container level security descriptor, it is used. To configure a grid map file for this service refer to instructions in the next section.
Delegation Service
- Credentials are determined by the container level security descriptor. If there is no container level security descriptor or if it does not specify what credentials to use then default credentials are used.
- Authentication and message integrity protection is enforced for all operations. This means that you may use any of GSI Transport, GSI Secure Message or GSI Secure Conversation when interacting with the delegation service.
- Access to resources managed by the Delegation Service is managed using the gridmap mechanism. The gridmap used is resource specific and is populated with the subject of the client that originally created the resource. This implies that only the user who delegated can access (and refresh) the delegated credential.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
Changing required authentication and authorization methods will require corresponding changes to the clients that contact this service. |
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
If the service is configured to use GSI Secure Transport, then container credentials are used for the handshake, irrespective of whether service level credentials are specified. |
To alter the security descriptor configuration refer to Security Descriptors.
To alter the security configuration of the Delegation Factory Service,
edit the file
$GLOBUS_LOCATION/etc/globus_delegation_service/factory-security-config.xml.
| Note |
|---|---|
To either specify a gridmap file different from the container level configuration or to add one if the container security descriptor does not specify one, refer to Section 11.1, “Configuring Default GridMap Files” to add a gridmap to Delegation Factory security descriptor. |
To alter the security configuration of the Delegation Service, edit the file
$GLOBUS_LOCATION/etc/globus_delegation_service/service-security-config.xml
Refer to the environment variable interface for details.
The environment variables described above only affect the selection of credentials if no credentials are specified in any of the applicable security descriptors.