[workspace-user] Delegating credentials with the 'workspace' command
dpb at uvic.ca
Mon Apr 16 18:11:41 CDT 2007
Hello Everyone -
I have a question about specifying delegated credential information in
my 'workspace' call to create workspaces. I have workspace-services
running on a cluster head node, and workspace-control running on an
attached worker node. I am able to create workspaces with images hosted
locally on the worker node (not using propagation) and with off-site
images (using gsiftp propagation). However, to create workspaces using
gsiftp propagation, I have to obtain valid credentials on both the
workspace-services head node and the workspace-control worker node. This
system uses proxy-based credentials, so in effect, this means that I
have to obtain a valid proxy on both the worker node and the head node
to be able to use gsiftp propagation. Currently, I am simply SSHing to
the head node and the worker node and obtaining credentials separately.
What I would like to be able to do is to obtain a credential on the
machine that I am executing the 'workspace' command on (in this case,
the services head node), and propagate that credential to the worker
node so that I don't have to obtain a credential for both machines; the
goal is to have a credential obtained on the head node be effective on
the worker node that executes the gsiftp propagation call (as valid
credentials are needed to use gsiftp).
Currently, I am looking at the delegation parameters of the 'workspace'
command, but I'm not having an easy time figuring out what combination /
configuration I should use to accomplish the desired credential
propagation. So far, I have tested the following command:
--delegation full --delegate
--securityMech conv --authorization host --serverCertificate
--delegation full seems correct to me, though I'm not sure what the
'limited' option would produce.
--delegate simply reflects the location of the
--delegateXf forces the credentials created to be used for
transfer (I think I should use this, as I need the credential for image
propagation, not file staging)
--securityMech conv this option is required for the delegation
option to facilitate gsi conversation
--authorization this field is confusing to me: I have tried using
'self', 'host', 'none', and my certificate tag, and all have given
I have also tried the command with an added '--serverCertificate [...]'
specifying the location of the hostcert.pem file on the head node. If
anyone has suggestions on how to make this system work, please let me
know. Any further explanation of the workspace command and the
credential parameters would also be greatly appreciated. If more
information is needed (eg: what error messages I am getting when I run
the above commands), again, just let me know.
University of Victoria, CA
More information about the workspace-user