[AG-DEV] Advenutures of a newbie AGtk developer
mimiller at ncsa.uiuc.edu
Tue May 24 16:18:20 CDT 2005
I posted this to AG-TECH but didn't get a response, so I thought I'd
repost it here to get the ball rolling.
I thought I'd try to keep a diary of my experiences as I look to add
something to the AGtk. hopefully this will point out where things can
be improved or docs be created to help new developers find what they need.
So my goal today is to add an alert message that tells the user his/her
globus certificate is expired.
Not knowing anything about how globus is implemented, I start with what
I percieve as the beginning:
Search ag_source/ag2.3+/AccessGrid/bin/VenueClient.py for "cert" ,
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClient.py for "cert"
, nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientUI.py for
"cert" , nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientObserver.py for
"cert" , nothing found
for "cert" , find:
ManageCertificates menu is provided by CertMgmt module
hmmm, this is interesting I wonder where the CertMgmt module is.
consult online API and find that "The Security module encapsulates all
the interfaces used by the Access Grid Toolkit for doing
security related work"
ok, now I have a real lead here.
Look in ag_source/ag2.3+/AccessGrid/AccessGrid/Security
ProxyGen.py stands out because that's the point where I want to put the
in here I find a function that uses the command line grid-proxy-init
tool to create a proxy.
but upon looking for the tool on my machine in the path described, I
can't find the executable.
there is an error check here for a bad password, perhaps instead of
looking for a specific error, I could just pass whatever error string is
returned. The entire returned value is sent to GridProxyInitError in
other cases, but I'm thinking that function just dumps something in a
log, which is not always helpful to the average user. and it's obvious
that this is not the way proxies are currently created so, let's look
search ag_source for anything named grid-proxy-init
all I find is a couple directories with c source files, in old versions
of the source that I have kept around.
not what I'm looking for.
so the proxying must be occurring some other way.
I remember something about pyGlobus. Looking further into ProxyGen.py I
This function uses a security.grid_proxy_init function and I see that
security is imported from pyGlobus
Ok, so I'm on the right track, but where is pyGlobus? I don't find it
in the AccessGrid module I downloaded from cvs.
Well it must be in my current install so I look there:
There it is! and in here I find security.py. Since ProxyGen imports this
whole file, I look through all of it looking for the mechnism that looks
at the actual cert. The idea being that I want to grab the expiration
date and compare it to the current date.
So the important function here is grid_proxy_init which uses a
grid_proxy_init or grid_proxy_init2 function from sslutilsc
So I look at sslutilsc, the only thing I find is sslutilsc.pyd. Boa(my
source editor) can see the functions inside, but is reluctant to show me
I see many functions that look like they would return various parameters
from the cert:
proxy_cred_desc_struct_certdir_get would return the directory where the
cert is kept.
proxy_cred_desc_struct_hPrivKey_get would return the hash of the Private
But nowhere do I see that I can grab the expiration date for the cert.
Now I'm thinking that the bad password message gets displayed, so I
should look for where that occurs, because I didn't see it in
In ProxyGen.py I look at CreateGlobusProxyProgrammatic and find there
are exceptions that include an error message about an expired cert. So
I'll have to test this with an expired cert. I wonder how I might
Anyway, this focuses my attention a bit and I redefine my goal to more
directly address the problem I had yesterday.
Goal: When a service is started using a service cert, check to see if
the service cert is expired. If so, alert the user at the VenueClient.
So now I need to figure out where services are started. I consult the API.
AGNodeService, AGService and AGServiceManager stand out
I start with AGServiceManager because that's what will have to consult
the service cert first? just a guess.
AGServiceManagerIW doesn't have any interface for checking the cert.
AGServiceManagerI looks the same as the IW
AGServiceManager looks the same as the I
So I look at ag_source/ag2.3+/AccessGrid/bin/AGServiceManager to see
where it checks for a cert
I don't find anything directly related here. but "from
AccessGrid.Toolkit import Service" makes me think that might be a place
in ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py I find the Service
class and in there is a commented function _CheckRequestedCert. I keep
looking and below that I find the Initialize function which calls
GetDefaultSubject(), which is a wrapper for
Service.instance().GetDefaultSubject() with a couple alternatives in
case that call fails.
So I look for Service.instance().GetDefaultSubject() but instance is
there just to assure that we are only dealing with one particular
instance of a service and based on the indentation, GetDefaultSubject()
is defined outside the Service class. So now I'm confused as to where
GetDefaultSubject() actually does anything. In the comments I notice
that the Service class is being initialized according to AGEP-0112.
Perhaps that's worth a look. I go looking for AGEP-0112.
Not knowing exactly where they are stored, I search from accessgrid.org
home page, no matches found. I search for AGEP and find two entries. in
the first one, I find a link to
I alter the link to be
The page informs me about the init code for AGtk.
Step 3 is Security Environment verification and Globus Initialization is
listed as a bullet under that. One other section mentions security:
This work should make the toolkit more secure, by enforcing all software
built using the AGTk conforms to the security environment created by the
* Platform Refactoring 213
* Authorization Refactoring 213
* Core Refactoring 213
I just need to figure out what they mean.
reveals an index of the AGEPs. Bookmark this page.
I find Authorization Refactoring as AGEP-105
AGEP-0105.html gives much more detail. But authorization seems to only
refer to getting access to a venue.
A look at the platform refactoring AGEP-108 doesn't offer much more info.
Look back at AGEP search and look at second entry, but the link in that
message is the same as the previous link.
Go back to
and look at the alternatives to see if they give me any clues. Looking
at this again, I see that the alternatives refer to the other classes in
this file. So that doesn't tell me anything.
One thing I do notice is: from AccessGrid.Security import X509Subject
So let's see what X509Subject does... this leads to Subject.py in the
same directory which seems to lead back to X509Subject...
At this point, I don't know where to look, I'm stuck on where to go from
So I'll post this to ag-tech in the hopes that someone can point me in
the right direction.
Be very specific when stating the goal
Start with the API reference:
Be aware to look in the current install rather than just the module
checked out from cvs.
I hope this helps. Anyone have any ideas on where I should look next?
Video Technology Services
Persistent Infrastructure Directorate
National Center for Supercomputing Applications
University of Illinois - UC
"If you're clear in your vision and trust the people in your team with clear objectives, they will invariably do their best to achieve everything desired, and usually deliver everything you could have hoped for and even more." -Paul Debevec
More information about the ag-dev