wiki:MyProxyWebService

MyProxyWebService

MyProxyWebService is a Python WSGI application for exposing MyProxy operations through a simple HTTP interface.  MyProxy is a service for managing PKI credentials and is part of the Globus Toolkit. The purpose of the MyProxyWebService is to make it more straightforward to write client applications for MyProxy. For example, bash shell scripts included with the package require only openssl and curl, command line programs include with most Linux/UNIX distributions.

The two scripts are myproxy-ws-get-trustroots.sh and myproxy-ws-logon.sh.

Bootstrap trust in the MyProxy HTTP service:

$ myproxy-ws-get-trustroots.sh -b -U https://myproxy.somewhere.ac.uk/get-trustroots
Bootstrapping MyProxy server root of trust.
Trust roots have been installed in /home/pjk/.globus/certificates

Obtain a credential:

$ myproxy-ws-logon.sh -U https://myproxy.somewhere.ac.uk/logon -o creds.pem

myproxy-ws-get-trustroots.sh makes a HTTP GET call to the web service and receives a response containing the trusted root files for the MyProxy server i.e. the CA certificate(s) to verify the web service's SSL certificate. These are written to the standard location $HOME/.globus/certificates.

With the trust roots installed the client can now making a logon request authenticating the server with SSL. The logon script creates a private key locally and HTTP POSTs a certificate request to the web service. The service responds with a new signed certificate. The certificate and key are written to the output file creds.pem.

The web service is effectively a proxy to the MyProxy service. It translates the HTTP requests from the client into a request to the MyProxy server using the standard  MyProxy protocol. It does this using this  Python MyProxyClient package.

source:/trunk/NDGSecurity/documentation/MyProxy/MyProxyWebService.png

One drawback is that since there is an intermediary (the web service) between the MyProxy server and the client, it is not possible for the client to authenticate with the MyProxy server directly with SSL. As such, only operations like logon are suited to this approach. To make a complete implementation of the MyProxy operations, the HTTP interface would need to be integrated directly into the MyProxy server.

Installation

The software is available as a Python egg on PyPI:  http://pypi.python.org/pypi/MyProxyWebService/

To install,

$ sudo easy_install MyProxyWebService

Deployment

The WSGI code has a Paste Deploy interface enabling convenient configuration via an ini file. e.g.

[server:main]
use = egg:Paste#http
host = 0.0.0.0
port = 5000

[app:main]
paste.app_factory = myproxy.server.wsgi.app:MyProxyApp.app_factory
prefix = myproxy.

# HTTP Basic Auth authentication realm used with MyProxy logon requests.
myproxy.httpbasicauth.realm = myproxy-realm

# The key name in the WSGI environ dictionary which holds the MyProxy logon
# function.  This is used by the HTTP Basic Auth middleware
myproxy.logon.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC

# Path for logon requests
#
# The URI path or paths that will be matched to a logobn request.  Regular
# expression may be entered but typically only a single path would be expected
# for the logon request.  The format of this option is inherited from the more
# generic HTTP Basic Auth middleware which the MyProxyApp uses.
myproxy.logon.rePathMatchList = /logon

# Path for get trust roots call.  This should be a single path.  Regular 
# expressions are not supported.
myproxy.getTrustRoots.path = /get-trustroots

# MyProxy server which this MyProxy WSGI app is a client to.  Set here to the 
# fully qualified domain name or else set the MYPROXY_SERVER environment
# variable.  See the documentation for the MyProxyClient egg for details
#myproxy.client.hostname = myproxy.somewhere.ac.uk
myproxy.client.caCertDir = /etc/grid-security/certificates

As a WSGI application, it integrates easily with Apache via mod_wsgi. Test code is provided with package which uses Paste's paster web server.

Source Code

Available on the  SubVersion repository on this site.


Philip Kershaw, 29/06/10