Skip to content. | Skip to navigation

Personal tools

Navigation

You are here: Home / Wiki / Delegationexample

Delegationexample

Here is a step-by-step example demonstrating how to test the delegation facilities in ProtoGENI. The example assumes that an existing user named joe using a federated site example.org wishes to delegate all privileges on slice mytestslice to a new user who will be called mary. Unless otherwise specified, please assume that all operations should be carried out as joe on a ProtoGENI ops node, under the protogeni/test directory within a testbed checkout.

  1. Please note that delegation requires the XMLSec software to be installed on the ops node; this should be done on all ProtoGENI sites. If your ops node does not yet have it, you or your system administrator should perform the installation now (you can do this using the /usr/ports/security/xmlsec1 port).
  2. If the mary user has not been created, please request an account for her through the Emulab WWW interface. This will require the approval of the head of whichever project she chooses to join. Once the account is created, she must create an SSL certificate (which is also done under the WWW interface; via the "My Emulab" and "Generate SSL Cert" links).
  3. If the slice does not yet exist, please create it now. This is performed with the ./createslice.py command, which should result in output similar to the following: 
    Got my SA credential
Deleting previously registered slice
Creating new slice called mytestslice
New slice created
    The slice credential created by this operation looks something like this:
    simple-credential.png
  4. Joe can now sign a new credential which will prove that his privileges have been delegated with his permission. The command to do this is: 
    ./delegate.py urn:publicid:IDN+example.org+slice+mytestslice urn:publicid:IDN+example.org+user+mary > /tmp/delegatedcredential.xml
    He will be prompted for the passphrase which protects his private key at this point, because it is required to compute the correct signature. The delegated credential looks like this:
    delegated-credential.png
  5. To demonstrate that Mary would not otherwise have permission to access a slice created by Joe, you can attempt to generate a ticket within the test slice by invoking ./getticket.py logged in as mary, which should fail with a message like the following: 
    Got my SA credential, looking up mytestslice
Asking for slice credential for mytestslice
Not your slice! :  Could not get Slice credential
  6. By contrast, if Mary presents the credentials generated in step 4, then permission will be granted. The invocation (again, using the mary user account) now becomes: 
    ./getticket.py -s /tmp/delegatedcredential.xml
    and should produce output similar to: 
    Got my SA credential, looking up mytestslice
Asking for slice credential for mytestslice
Got the slice credential
Asking for a ticket from the local CM
Got a ticket from the CM. Delaying a moment ...
Releasing the ticket now ...
Ticket has been released

The delegation facilities are under active development, and more sophisticated operations (such as delegating a proper subset of a user's privileges) should be available in the near future.