Administration
Programmatically Delegating a Credential
Group Delegation Policy
[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]
The example source code below illustrates how to delegate a credential to the Credential Delegation Service (CDS) with a Group Delegation Policy. In the example below the credential of the user whom is currently logged in or the default credential is delegated to the CDS for a period of four hours. The delegation policy specified in the example allows members of the Training:Trainees managed by the Grid Grouper https://training03.cagrid.org:6443/wsrf/services/cagrid/GridGrouper
, to get a credential. If a user that is a member of the Training:Trainees requests a credential, the CDS will issue them a credential for a time period of 1 hour. If needed the user may request additional credentials until the 4 hour delegation lifetime expires. Each additional credential will be valid for 1 hour or the time period left in the four hour delegation lifetime if that is less than 1 hour. Since the delegation path length of issued credentials is 0, any user whom are issued a credential will not be permitted to delegate the credential to another party.
import gov.nih.nci.cagrid.common.security.ProxyUtil; import org.cagrid.gaards.cds.client.ClientConstants; import org.cagrid.gaards.cds.client.DelegationUserClient; import org.cagrid.gaards.cds.common.GroupDelegationPolicy; import org.cagrid.gaards.cds.common.ProxyLifetime; import org.cagrid.gaards.cds.delegated.stubs.types.DelegatedCredentialReference; import org.globus.gsi.GlobusCredential; public class DelegationExample { public static DelegatedCredentialReference delegateCredential(String cdsURL) throws Exception { // The default credential or the user that is currently logged in. GlobusCredential credential = ProxyUtil.getDefaultProxy(); // Specifies how long the delegation service can delegated this // credential to other parties. ProxyLifetime delegationLifetime = new ProxyLifetime(); delegationLifetime.setHours(4); delegationLifetime.setMinutes(0); delegationLifetime.setSeconds(0); // Specifies the path length of the credential being delegate the // minumum is 1. int delegationPathLength = 1; // Specifies the how long credentials issued to allowed parties will // be // valid for. ProxyLifetime issuedCredentialLifetime = new ProxyLifetime(); issuedCredentialLifetime.setHours(1); issuedCredentialLifetime.setMinutes(0); issuedCredentialLifetime.setSeconds(0); // Specifies the path length of the credentials issued to allowed // parties. A path length of 0 means that // the requesting party cannot further delegate the credential. int issuedCredentialPathLength = 0; // Specifies the key length of the delegated credential int keySize = ClientConstants.DEFAULT_KEY_SIZE; //The policy stating which parties will be allowed to obtain a delegated credential. //The CDS will only issue credentials to parties that are members of the group //specified below. GroupDelegationPolicy policy = new GroupDelegationPolicy(); policy.setGridGrouperServiceURL("https://training03.cagrid.org:6443/wsrf/services/cagrid/GridGrouper"); policy.setGroupName("Training:Trainees"); // Create an instance of the delegation client, specifies the CDS // Service URL and the credential // to be delegated. DelegationUserClient client = new DelegationUserClient(cdsURL, credential); // Delegates the credential and returns a reference which can later // be // used by allowed parties to // obtain a credential. DelegatedCredentialReference ref = client.delegateCredential(delegationLifetime, delegationPathLength, policy, issuedCredentialLifetime, issuedCredentialPathLength, keySize); return ref; } }