Using MyProxy server

Added by Hajnal Akos about 6 years ago

Dear Developers,

I am new to using MyProxy server, and thought that MyProxy server is something that can store my proxy and give it back to anyone who knows the proper username and password.

I created and stored my proxy on the MyProxy server using the command:

myproxy-init -s myproxy.hpcc.sztaki.hu --certfile usercert.pem --keyfile userkey.pem -l ahajnal

and could retrieve the proxy with (globus?) UI:
myproxy-get-delegation -s myproxy.hpcc.sztaki.hu -l ahajnal

and check its status:
myproxy-info -s myproxy.hpcc.sztaki.hu -l ahajnal

However, my attempt to use MyProxy server failed:

import org.ogf.saga.context.*;
import org.ogf.saga.namespace.*;
import org.ogf.saga.session.*;
import org.ogf.saga.url.*;

public class MyProxy {

    public static void main(String[] args) {
        try {
            URL url = URLFactory.createURL("gsiftp://dpm.hpcc.sztaki.hu:2811/tmp");
            Session session = SessionFactory.createSession(false);
            Context ctx = ContextFactory.createContext("MyProxy"); // context type
            ctx.setAttribute(Context.SERVER, "myproxy.hpcc.sztaki.hu"); // server address (port: 7512)
            ctx.setAttribute(Context.USERID, "ahajnal"); // user id to get proxy from myproxy server
            ctx.setAttribute("MyProxyPass", "***"); // password to get proxy from myproxy server
            ctx.setAttribute("DelegationLifeTime", "PT12H"); // of the generated by proxy (optional?)
            ctx.setAttribute(Context.CERTREPOSITORY, "C:/Documents and Settings/Akos Hajnal/.globus/certificates/"); // cert dir 
            session.addContext(ctx);
            NSDirectory dir = NSFactory.createNSDirectory(session, url);
            for (URL dirEntry: dir.list()) System.out.println(dirEntry.getPath());
            dir.close();
        } catch (Exception e) { e.printStackTrace(); }
    }
}

I get the exception:

NoSuccess: java.io.FileNotFoundException: null.myproxy (The system cannot find the file specified)
    at fr.in2p3.jsaga.adaptor.security.MyProxySecurityAdaptor.createSecurityCredential(MyProxySecurityAdaptor.java:196)
    at fr.in2p3.jsaga.impl.context.ContextImpl.createCredential(ContextImpl.java:282)
    at fr.in2p3.jsaga.impl.session.SessionImpl.addContext(SessionImpl.java:63)
    at MyProxy.main(MyProxy.java:18)
Caused by: java.io.FileNotFoundException: null.myproxy (The system cannot find the file specified)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:120)
    at fr.in2p3.jsaga.adaptor.security.MyProxySecurityAdaptor.load(MyProxySecurityAdaptor.java:273)
    at fr.in2p3.jsaga.adaptor.security.MyProxySecurityAdaptor.createSecurityCredential(MyProxySecurityAdaptor.java:181)
    ... 3 more

Am I still missing some context attribute?

Thanks,
Akos Hajnal


Replies (11)

RE: Using MyProxy server - Added by Schwarz Lionel about 6 years ago

Are you running on Windows? It might be a bug of the MyProxy adaptor on Windows (default value for user proxy is wrong).
As a workaround you can either add in you code:
ctx.setAttribute(Context.USERPROXY, <the path to your proxy file>);

or set the env variable
X509_USER_PROXY=<the path to your proxy file>

Could you please file a bug on this at:
https://forge.in2p3.fr/projects/jsaga/issues/new

Thanks
Lionel

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

Yes, I am running on Windows, and partially yes, adding UserProxy attribute makes things a little bit better:

ctx.setAttribute(Context.USERPROXY, "myproxyfilename");

causes myproxyfilename not found exception.

My main problem is that I guess I am missing some important concept.
Is it true that jSaga should download the proxy (to file myproxyfilename)? (Otherwise why MyProxy server is used.)

Thanks,
Akos

RE: Using MyProxy server - Added by Reynaud Sylvain about 6 years ago

Dear Akos,

The issue #4644 (file name "null.myproxy" when neither Context.USERPROXY attribute nor environment variable X509_USER_PROXY are set) is fixed and the fix will be integrated in next snapshot.

However, whatever is the path, you need a proxy file (which can be about about to expire) in order to be allowed to get a new proxy with a longer remaining lifetime.

Regards,
Sylvain

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

Dear Sylvain,

Thank you!

Just one more comment. As far as I know, it is possible to configure MyProxy server to provide proxy for only user/pass authentication (without having a previous proxy), or for user/pass + host certificate (of the requester) authentication. (Though, I am not 100% sure.)

It seems that jSaga (or the underlying library) does not allow to access MyProxy server, but will reject trials before trying to communicate with the MyProxy server because of the missing userproxy attribute - even if MyProxy server would be able to accept requests like this. Is it true?

Sorry for such questions, I am new to MyProxy...

Regards,
Akos

RE: Using MyProxy server - Added by Reynaud Sylvain about 6 years ago

Dear Akos,

Yes, there is another way to use MyProxy by using user/pass authentication, but this authentication mode is not supported by the underlying library used by JSAGA. That's why JSAGA requires a userproxy file to be available.

You can submit a feature request if you think this feature is missing. However, please note that we will not be able to work on this feature until JSAGA will be migrated to jglobus2 library instead of the current old library (Lionel is currently working on this migration).

Regards,
Sylvain

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

Ok, now I see, thank you.

Akos

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

Dear Sylvain,

I made another test with the old (I guess current) snapshot. I provide a proxy file which is valid (with expired proxy, MyProxy context type does not work, which is correct, according to your previous note - it was not only about to expire, but was really expired).
I gave invalid username and password for the myproxy server, and dir listing works. I am affraid no attempt made to get proxy from the MyProxy server, but the provided proxy is used for communication.

Regards, Akos

RE: Using MyProxy server - Added by Reynaud Sylvain about 6 years ago

Dear Akos,

JSAGA adaptors for security context can have different behaviors, and the selected behavior depends on which attributes are set.

The list of possible behaviors and associated attributes is declared in the method getUsage() of the adaptor:
https://git.in2p3.fr/public/jsaga/tree/adaptors/jsaga-adaptor-globus/src/fr/in2p3/jsaga/adaptor/security/MyProxySecurityAdaptor.java#n69

  • USAGE_INIT_PEM creates a new proxy and store it on the MyProxy server.
  • USAGE_GET_DELEGATED_MEMORY get a delegated proxy for the MyProxy server, using in-memory proxy object to authenticate.
  • USAGE_GET_DELEGATED_LOAD get a delegated proxy for the MyProxy server, using on-disk proxy file to authenticate.
  • USAGE_LOCAL_MEMORY uses the in-memory proxy object (no proxy renewal).
  • USAGE_LOCAL_LOAD uses the on-disk proxy file (no proxy renewal).

You may be in the USAGE_LOCAL_LOAD case. If so, setting the "DelegationLifeTime" attribute should switch you to the USAGE_GET_DELEGATED_LOAD case.

Regards,
Sylvain

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

I tried (added attribute DelegationLifeTime = PT12H), but the same result, works for wrong pass.
Thanks for the source, I try to understand... :)
Akos

RE: Using MyProxy server - Added by Reynaud Sylvain about 6 years ago

My previous answer was for this sentence: "I am affraid no attempt made to get proxy from the MyProxy server, but the provided proxy is used for communication."

About your "works for wrong pass" issue, the reason may be that the "UserPass" attribute is only used by the USAGE_INIT_PEM case, else it is ignored.

You don't need to understand the full source code, understanding the getUsage() method shoud be enough. It is just a big expression with boolean operators (and,or).

Regards,
Sylvain

RE: Using MyProxy server - Added by Hajnal Akos about 6 years ago

When setting DelegationLifeTime I got exception but of different type (connect timed out, I didn't notice among the several trials).
Now infrastructure guys let my machine to access MyProxy server, and with the new version the code works fine, as you wrote.

Thanks, and sorry.

Regards,
Akos

(1-11/11)