Delegationexample
Here is a step-by-step example demonstrating how to test the delegation facilities in ProtoGENI. The example assumes that an existing user named joe using a federated site example.org wishes to delegate all privileges on slice mytestslice to a new user who will be called mary. Unless otherwise specified, please assume that all operations should be carried out as joe on a ProtoGENI ops node, under the protogeni/test directory within a testbed checkout.
- Please note that delegation requires the XMLSec software to be installed on the ops node; this should be done on all ProtoGENI sites. If your ops node does not yet have it, you or your system administrator should perform the installation now (you can do this using the /usr/ports/security/xmlsec1 port).
- If the mary user has not been created, please request an account for her through the Emulab WWW interface. This will require the approval of the head of whichever project she chooses to join. Once the account is created, she must create an SSL certificate (which is also done under the WWW interface; via the "My Emulab" and "Generate SSL Cert" links).
- If the slice does not yet exist, please create it now. This is performed with the
./createslice.py command, which should result in output similar to the following:
Got my SA credential Deleting previously registered slice Creating new slice called mytestslice New slice created
The slice credential created by this operation looks something like this:
- Joe can now sign a new credential which will prove that his privileges have been
delegated with his permission. The command to do this is:
./delegate.py urn:publicid:IDN+example.org+slice+mytestslice urn:publicid:IDN+example.org+user+mary > /tmp/delegatedcredential.xml
He will be prompted for the passphrase which protects his private key at this point, because it is required to compute the correct signature. The delegated credential looks like this:
- To demonstrate that Mary would not otherwise have permission to access a slice
created by Joe, you can attempt to generate a ticket within the test slice by invoking
./getticket.py logged in as mary, which should fail with a message like
the following:
Got my SA credential, looking up mytestslice Asking for slice credential for mytestslice Not your slice! : Could not get Slice credential
- By contrast, if Mary presents the credentials generated in step 4, then
permission will be granted. The invocation (again, using the mary user
account) now becomes:
./getticket.py -s /tmp/delegatedcredential.xml
and should produce output similar to:Got my SA credential, looking up mytestslice Asking for slice credential for mytestslice Got the slice credential Asking for a ticket from the local CM Got a ticket from the CM. Delaying a moment ... Releasing the ticket now ... Ticket has been released
The delegation facilities are under active development, and more sophisticated operations (such as delegating a proper subset of a user's privileges) should be available in the near future.