wiki:MyProxyClient

MyProxyClient

The MyProxyClient Python package has been developed as part of development activities for the  NERC DataGrid Security system. This work has also been supported by  OMII-UK now the Software Sustainability Institute resulting in this package.

The implementation is based on the  myproxy_logon script developed by Tom Uram of ANL. Rather than binding to the  MyProxy C libraries, it uses the M2Crypto Python OpenSSL library wrapper to make calls to a MyProxy server following the  MyProxy protocol.

Releases

1.2.2 9 December 2010

Fixes bug with server certificate subject name check - allow for host/, myproxy/ or no prefix to subject name Common Name field. This is now applied as a default without any need to set explicitly.

1.2.1 18 November 2010

Fix non-ASCII character bug in script.py.

1.2.0 30 Sept 2010

  • important fix for SSL peer verification. Verify callback for OpenSSL.SSL.Context.set_verify was not enforcing the pre-verify OK code passed to it. This means that when a DN was set as accepted it would ignore any possible error caused in verification of the server certs CA certificate chain.
  • added myproxyclient console script contributed by Stephen Pascoe.

1.1.0 2 June 2010

  • added bootstrap capability to initialise client CA certificate set-up to trust the server's SSL certificate.

1.0 26 April 2010

  • This version includes a new method getTrustRoots to support the ability to download the CA certificates for a given MyProxy server (command=7 - see:  http://grid.ncsa.illinois.edu/myproxy/protocol/)
  • 1.0 switches from M2Crypto to PyOpenSSL for its OpenSSL wrapper.
  • A put method is included as a stub only. Unfortunately, the PyOpenSSL X.509 Extensions interface doesn't support the proxyCertInfo extension type needed for creating proxy certificates.

Installation

MyProxyClient is available from PyPI:

$ sudo easy_install MyProxyClient

Troubleshooting

The build may fail for the PyOpenSSL package dependency because it requires that the OpenSSL header files are present. Most Linux systems provide an OpenSSL devel package which contains these files. It can be installed with the native package manager.

Examples

API

Retrieve credentials from a MyProxy server running at myproxy.localhost on the default port:

>>> from myproxy.client import MyProxyClient
>>> myproxy = MyProxyClient(hostname='myproxy.localhost')
>>> credentials = myproxy.logon('myusername', 'mypassword', bootstrap=True)

credentials is a tuple containing certificate(s) and private key as strings. The bootstrap flag bootstraps the trust roots for the server downloading the CA certificate(s) to ~/.globus/certificates.

Console Script

The script follows a similar form to the myproxy-* executables included with the MyProxy C distribution:

  • Logon as user me using MyProxy server myproxy.somewhere.ac.uk bootstrapping trust and downloading trust roots. The certificate and private key are stored in the output file creds.pem in the user's home directory. -b and -T are typically required for a first invocation:
    $ myproxyclient logon -b -T -s myproxy.somewhere.ac.uk -l me -o ~/creds.pem
    
  • Logon call using the default username (your current $LOGNAME):
    $ myproxyclient logon -s myproxy.somewhere.ac.uk -o ~/creds.pem
    

Only the logon command is currently supported for this console script. Other commands may be added in future releases.

Full list of options:

$ myproxyclient -h
Usage: myproxyclient [command] [options]

commands:
  logon        Retrieve credentials from a MyProxy service


Options:
  -h, --help            show this help message and exit
  -o OUTFILE, --out=OUTFILE
                        Set the file to store the retrieved creentials. If not
                        specified credentials will be stored in
                        X509_USER_PROXY environment variable.  To write the
                        credential tostdout use -o -.
  -C CADIR, --cadir=CADIR
                        Set location of trusted certificates.  By default this
                        is the X509_CERT_DIR  environment variable or
                        ~/.globus/certificates or /etc/grid-security.
  -s HOSTNAME, --pshost=HOSTNAME
                        Set hostname of myproxy server
  -p PORT, --psport=PORT
                        Set port of myproxy server
  -t PROXY_LIFETIME, --proxy_lifetime=PROXY_LIFETIME
                        Set proxy certificate Lifetime (hours)
  -S, --stdin_pass      Read the password directly from stdin
  -b, --bootstrap       Download trusted CA certificates
  -T, --trustroots      Update trustroots
  -l USERNAME, --username=USERNAME
                        Set username

Documentation

epydoc generated  documentation is available at the Python package site.

SubVersion Repository

See  http://proj.badc.rl.ac.uk/ndg-security/browser/trunk/MyProxyClient