Information Technology Reference
In-Depth Information
6.5.1.2 Storing User-Provided Credentials
Once the user has set the necessary credentials through a given credential portlet,
the credential data is stored by WS-PGRADE/gUSE. Each WS-PGRADE/gUSE
user has a dedicated credential storage space allocated on the front-end component
of the gateway, which is the user
is directory, and is only accessible, by the given
user (and by WS-PGRADE/gUSE services acting on behalf of the user). The cre-
dentials provided by the user are stored in this location, and follow the naming
scheme of
'
, where <name> represents the name of a computing
infrastructure resource. Let us assume for example, that the user has set credentials
for a gLite resource (using authentication type
“
x509up.<name>
”
“
x509
”
) called
“
seegrid
”
, and a
CloudBroker resource (using authentication type
“
basic authentication
”
) called
“
platform
”
. In this case two credential-related
files exist in the user
'
s directory, one
called
. It follows from this
naming scheme that it is not possible to store credentials of different computing
resources using the same name, even if they belong to a different computing
infrastructure.
The content of the credential
“
x509up.seegrid
”
, and another called
“
x509up.platform
”
'
files depends on the computing infrastructure
s
authentication method they store the credential for:
Basic authentication: in this case the credential
file contains two strings, a
username (or e-mail address) and a password, placed into separate lines,
X.509: in this case the credential
file contains the X.509 proxy certi
cate as it
has been downloaded from the MyProxy server,
SAML: in this case the credential
file contains the SAML assertion data,
SSH key: in this case actually two credential
files exist; one containing the SSH
key pair
'
s private part (in a
file called x509up.<name>), and one containing the
SSH key pair
'
s public part (in a
file called x509up.<name>.pub).
6.5.1.3 Using User-Provided Credentials for Job Execution
For each job submitted as part of an experiment, the job
s description contains the
name of the user who submitted the job, the type of the computing infrastructure the
job should be handled by, and the name of the resource the job should be run on.
All this information is necessary to identify unambiguously the credential set by the
user for the given job. The steps to get the credential for the given job are as
follows:
'
1. When the DCI Bridge (the job submission component of WS-PGRADE/gUSE)
receives the job, it checks the type of the computing infrastructure, and asks the
relevant plugin to handle the job.
2. The plugin in charge gets the name of the user, and the name of the resource
from the job description.
Search WWH ::
Custom Search