Changes between Version 19 and Version 20 of MyProxyClient


Ignore:
Timestamp:
16/12/10 07:52:05 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • MyProxyClient

    v19 v20  
     1= !MyProxyClient = 
     2The !MyProxyClient Python package has been developed as part of development activities for the [http://ndg.nerc.ac.uk/ NERC DataGrid] Security system.  This work has been supported over the past year (2007-2008) by [http://proj.badc.rl.ac.uk/ndg/wiki/TI12_Security/OMII-UK OMII-UK]. 
     3 
     4The implementation is based on the [http://www-new.mcs.anl.gov/fl/research/accessgrid/myproxy/myproxy.html myproxy_logon] script developed by Tom Uram of ANL.  Rather than binding to the [http://grid.ncsa.uiuc.edu/myproxy/ MyProxy] C libraries, it uses the M2Crypto Python OpenSSL library wrapper to make calls to a !MyProxy server following the [http://grid.ncsa.uiuc.edu/myproxy/protocol/ MyProxy protocol]. 
     5 
     6== Releases == 
     7=== 1.2.2 9 December 2010 === 
     8Fixes bug with server certificate subject name check - allow for `host/`, `myproxy/` or no prefix to subject name Common Name field. This is now applied as a default without any need to set explicitly. 
     9 
     10=== 1.2.1 18 November 2010 === 
     111.2.1 Fix non-ASCII character bug in `script.py`. 
     12 
     13=== 1.2.0 30 Sept 2010 === 
     14 * important fix for SSL peer verification.  Verify callback for `OpenSSL.SSL.Context.set_verify` was not enforcing the pre-verify OK code passed to it.  This means that when a DN was set as accepted it would ignore any possible error caused in verification of the server certs CA certificate chain. 
     15 * added `myproxyclient` console script contributed by Stephen Pascoe. 
     16 
     17=== 1.1.0 2 June 2010 === 
     18 * added bootstrap capability to initialise client CA certificate set-up to trust the server's SSL certificate. 
     19 
     20=== 1.0 26 April 2010 === 
     21 * This version includes a new method `getTrustRoots` to support the ability to download the CA certificates for a given !MyProxy server (command=7 - see: http://grid.ncsa.illinois.edu/myproxy/protocol/) 
     22 * 1.0 switches from M2Crypto to PyOpenSSL for its OpenSSL wrapper. 
     23 * A put method is included as a stub only.  Unfortunately, the PyOpenSSL X.509 Extensions interface doesn't support the `proxyCertInfo` extension type needed for creating proxy certificates. 
     24 
     25== Installation == 
     26!MyProxyClient is available from PyPI: 
     27 
     28{{{ 
     29$ easy_install MyProxyClient 
     30}}} 
     31=== Troubleshooting === 
     32The build may fail for the `PyOpenSSL` package dependency because it requires that the OpenSSL header files are present.  Most Linux systems provide an OpenSSL devel package which contains these files.  It can be installed with the native package manager.  
     33 
     34== Example == 
     35=== API === 
     36Retrieve credentials from a !MyProxy server running at `myproxy.localhost` on the default port: 
     37{{{ 
     38>>> from myproxy.client import MyProxyClient 
     39>>> myproxy = MyProxyClient(hostname='myproxy.localhost') 
     40>>> credentials = myproxy.logon('myusername', 'mypassword', bootstrap=True) 
     41}}} 
     42`credentials` is a tuple containing certificate(s) and private key as strings.  The `bootstrap` flag bootstraps the trust roots for the server downloading the CA certificate(s) to `~/.globus/certificates`. 
     43 
     44=== Console Script === 
     45The script follows a similar form to the myproxy-* executables included with the MyProxy C distribution: 
     46{{{ 
     47$ myproxyclient -h 
     48Usage: myproxyclient [command] [options] 
     49 
     50commands: 
     51  logon        Retrieve credentials from a MyProxy service 
     52 
     53 
     54Options: 
     55  -h, --help            show this help message and exit 
     56  -o OUTFILE, --out=OUTFILE 
     57                        Set the file to store the retrieved creentials. If not 
     58                        specified credentials will be stored in 
     59                        X509_USER_PROXY environment variable.  To write the 
     60                        credential tostdout use -o -. 
     61  -C CADIR, --cadir=CADIR 
     62                        Set location of trusted certificates.  By default this 
     63                        is the X509_CERT_DIR  environment variable or 
     64                        ~/.globus/certificates or /etc/grid-security. 
     65  -s HOSTNAME, --pshost=HOSTNAME 
     66                        Set hostname of myproxy server 
     67  -p PORT, --psport=PORT 
     68                        Set port of myproxy server 
     69  -t PROXY_LIFETIME, --proxy_lifetime=PROXY_LIFETIME 
     70                        Set proxy certificate Lifetime (hours) 
     71  -S, --stdin_pass      Read the password directly from stdin 
     72  -b, --bootstrap       Download trusted CA certificates 
     73  -T, --trustroots      Update trustroots 
     74  -l USERNAME, --username=USERNAME 
     75                        Set username 
     76}}} 
     77 * Logon as user `me` call bootstrapping trust and downloading trust roots.  The certificate and private key are stored in the output file `creds.pem` in the user's home directory.  `-b` and `-T` are typically required for a first invocation: 
     78{{{ 
     79$ myproxyclient logon -b -T -s myproxy.somewhere.ac.uk -l me -o ~/creds.pem 
     80}}} 
     81Logon as user `me` call bootstrapping trust and downloading trust roots 
     82{{{ 
     83$ myproxyclient logon -b -T -s myproxy.somewhere.ac.uk -l me -o ~/creds.pem 
     84}}} 
     85Only the `logon` command is currently supported for this console script.  Other commands may be added in future releases. 
     86 
     87== Documentation == 
     88epydoc generated [http://packages.python.org/MyProxyClient/ documentation] is available at the Python package site. 
     89 
     90== !SubVersion Repository == 
     91See http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/trunk/MyProxyClient