[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Globus-discuss] question about contact MMJFS from remote

To: Yingqi Chen <yqglobus@yahoo.ca>, discuss@globus.org, lane@mcs.anl.gov
Subject: Re: [Globus-discuss] question about contact MMJFS from remote
From: "Xu, Ningfeng" <nfxu@yahoo.com>
Date: Fri, 12 Mar 2004 12:08:34 -0800 (PST)
Cc: naseberry@sina.com
In-reply-to: <20040312190545.45243.qmail@web41906.mail.yahoo.com>
Sender: owner-discuss@globus.org

I don't think so. grid-mapfile has the mapping from
client's grid identity(DN, fome client certificate) to
local unix account, while portType file has the
mapping from local account to list of portTypes the
local account is authorized to run. Combined them
together, server knows what clients can do.

This way is good because it is more flexable in
authorization. But now GT is introducing Authorization
Callout, which brings more flexibility.

The documentation is here:
http://www.globus.org/security/GSI3/GRIM-05.doc

Please correct me if I am wrong.

Ningfeng

--- Yingqi Chen <yqglobus@yahoo.ca> wrote:
> Hi Peter,
>  
> I have the same problem. According to your answer 3:
> "Your grid-mapfile and grim-port-type.xml files
> should be configured only according to accounts on
> the server. Accounts from other machines (even if
> they have the same username) cannot be proven to
> represent the same individual. This is why there are
> user certificates. The usernames in these files are
> local mappings only since that is the only place the
> usernames have any meaning."
>  
> it seems that a user on the client side can't submit
> jobs to the server if he doesn't have a local user
> account on the server, right? Is there a way for two
> ruuning container to communicate with each other? Or
> how can a client user submit jobs to the server
> using Globus Toolkit.
>  
> Thanks a lot,
>  
> Yingqi
>  
> 
> 
> On Mar 3, 2004, at 7:45 AM, naseberry wrote:
> Hi,all
> 
> Has anybody tried submitting a job to MMJFS from a
> remote machine ? I have some question about this.
> 
> First, Do I need to install MMJFS on the client
> machine, if not, I cann't find the order
> "managed-job-globusrun ", if yes, I think it cann't
> refelect the concept of MMJFS. then if I copy this
> order "managed-job-globusrun" from server to client,
> does it work?
> Since there's no division currently between client
> and server packages, you basically have to install
> everything on the client machine as well. You do not
> have to run a container, though, since you don't
> want to expose any services on the client side.
> 
> second, do I need to creat grim-port-type.xml and
> grid-mapfile file in the client side?
> 
> No.
> third, on the server side, I have files like this:
> ------------------------------------------------
> grim-port-type.xml
> <authorized_port_types>
> <port_type
>
username="orchis">http://www.globus.org/namespaces/managed_job/
> managed_job/ManagedJobPortType</port_type>
> </authorized_port_types>
> 
>
------------------------------------------------------
> grid-mapfile
> "/O=Globus/OU=ecict/OU=ecict.com/CN=orchis" orchis
> 
>
----------------------------------------------------------------
> on the client side I want to use the account
> "globus" to submit jobs. I revise these two files
> like this on the server side:
> ------------------------------------------------
> grim-port-type.xml
> <authorized_port_types>
> <port_type
>
username="orchis">http://www.globus.org/namespaces/managed_job/
> managed_job/ManagedJobPortType</port_type>
> <port_type
>
username="globus">http://www.globus.org/namespaces/managed_job/
> managed_job/ManagedJobPortType</port_type>
> </authorized_port_types>
> 
>
------------------------------------------------------
> grid-mapfile
> "/O=Globus/OU=ecict/OU=ecict.com/CN=orchis" orchis
> "/O=Globus/OU=ecict/OU=ecict.com/CN=orchis" globus
>
----------------------------------------------------------------
> 
> Is anything wrong with it?
> Your grid-mapfile and grim-port-type.xml files
> should be configured only according to accounts on
> the server. Accounts from other machines (even if
> they have the same username) cannot be proven to
> represent the same individual. This is why there are
> user certificates. The usernames in these files are
> local mappings only since that is the only place the
> usernames have any meaning.
> 
> 
> 
> 4. I think I must have a host certificate on the
> client side.
> Not necessary. Host certificates are only intended
> for...big surprise...hosts (i.e. servers). You do
> need CA certificates so as to verify that you trust
> those host certificates being presented by the
> server, though.
> 
> any help will be truly appreciated!
> Cheers
> naseberry
> end
> 
> 
> 
> 
> ---------------------------------
> Post your free ad now! Yahoo! Canada Personals
> 


__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com

-
To Unsubscribe: send mail to majordomo@globus.org
with "unsubscribe discuss" in the body of the message

References:
- Re: [Globus-discuss] question about contact MMJFS from remote
  - From: Yingqi Chen <yqglobus@yahoo.ca>

Prev by Date: [Globus-discuss] see source code for grid ftp
Next by Date: [Globus-discuss] XIO API change 3.2a to 3.2b
Previous by thread: Re: [Globus-discuss] question about contact MMJFS from remote
Next by thread: [Globus-discuss] Web Services and the Grid Conference
Index(es):
- Date
- Thread