[AG-DEV] Advenutures of a newbie AGtk developer

Michael Miller mimiller at ncsa.uiuc.edu
Tue May 24 16:18:20 CDT 2005


I posted this to AG-TECH but didn't get a response, so I thought I'd 
repost it here to get the ball rolling.


I thought I'd try to keep a diary of my experiences as I look to add 
something to the AGtk.  hopefully this will point out where things can 
be improved or docs be created to help new developers find what they need.

5-19-05
So my goal today is to add an alert message that tells the user his/her 
globus certificate is expired.

Not knowing anything about how globus is implemented, I start with what 
I percieve as the beginning:
Search ag_source/ag2.3+/AccessGrid/bin/VenueClient.py for "cert" , 
nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClient.py for "cert" 
, nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientUI.py for 
"cert" , nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientObserver.py for 
"cert" , nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientController.py 
for "cert" , find:

    """
    ManageCertificates menu is provided by CertMgmt module
    """
hmmm, this is interesting I wonder where the CertMgmt module is.

consult online API and find that "The Security module encapsulates all 
the interfaces used by the Access Grid Toolkit for doing

security related work"

ok, now I have a real lead here.

Look in ag_source/ag2.3+/AccessGrid/AccessGrid/Security
ProxyGen.py stands out because that's the point where I want to put the 
alert message
in here I find a function that uses the command line grid-proxy-init 
tool to create a proxy.
but upon looking for the tool on my machine in the path described, I 
can't find the executable.
there is an error check here for a bad password, perhaps instead of 
looking for a specific error, I could just pass whatever error string is 
returned.  The entire returned value is sent to GridProxyInitError in 
other cases, but I'm thinking that function just dumps something in a 
log, which is not always helpful to the average user.  and it's obvious 
that this is not the way proxies are currently created so, let's look 
elsewhere.

search ag_source for anything named grid-proxy-init
all I find is a couple directories with c source files, in old versions 
of the source that I have kept around.
not what I'm looking for.
so the proxying must be occurring some other way.
I remember something about pyGlobus.  Looking further into ProxyGen.py I 
find CreateGlobusProxyProgrammatic
This function uses a security.grid_proxy_init function and I see that 
security is imported from pyGlobus
Ok, so I'm on the right track, but where is pyGlobus?  I don't find it 
in the AccessGrid module I downloaded from cvs.
Well it must be in my current install so I look there:
c:\python23\Lib\sitepackages\pyGlobus
There it is! and in here I find security.py. Since ProxyGen imports this 
whole file, I look through all of it looking for the mechnism that looks 
at the actual cert.  The idea being that I want to grab the expiration 
date and compare it to the current date.

So the important function here is grid_proxy_init which uses a 
grid_proxy_init or grid_proxy_init2 function from sslutilsc
So I look at sslutilsc, the only thing I find is sslutilsc.pyd. Boa(my 
source editor) can see the functions inside, but is reluctant to show me 
the source...
I see many functions that look like they would return various parameters 
from the cert:
proxy_cred_desc_struct_certdir_get would return the directory where the 
cert is kept.
proxy_cred_desc_struct_hPrivKey_get would return the hash of the Private 
Key.
etc...

But nowhere do I see that I can grab the expiration date for the cert.

Now I'm thinking that the bad password message gets displayed, so I 
should look for where that occurs, because I didn't see it in 
ProxyGen.py before.
In ProxyGen.py I look at CreateGlobusProxyProgrammatic and find there 
are exceptions that include an error message about an expired cert.  So 
I'll have to test this with an expired cert.  I wonder how I might 
create that...?

Anyway, this focuses my attention a bit and I redefine my goal to more 
directly address the problem I had yesterday.
Goal: When a service is started using a service cert, check to see if 
the service cert is expired. If so, alert the user at the VenueClient.

So now I need to figure out where services are started.  I consult the API.
AGNodeService, AGService and AGServiceManager stand out
I start with AGServiceManager because that's what will have to consult 
the service cert first? just a guess.
AGServiceManagerIW doesn't have any interface for checking the cert.
AGServiceManagerI looks the same as the IW
AGServiceManager looks the same as the I
So I look at ag_source/ag2.3+/AccessGrid/bin/AGServiceManager to see 
where it checks for a cert
I don't find anything directly related here. but "from 
AccessGrid.Toolkit import Service" makes me think that might be a place 
to look.
in ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py I find the Service 
class and in there is a commented function _CheckRequestedCert.  I keep 
looking and below that I find the Initialize function which calls 
GetDefaultSubject(), which is a wrapper for 
Service.instance().GetDefaultSubject() with a couple alternatives in 
case that call fails.
So I look for Service.instance().GetDefaultSubject() but instance is 
there just to assure that we are only dealing with one particular 
instance of a service and based on the indentation, GetDefaultSubject() 
is defined outside the Service class.  So now I'm confused as to where 
GetDefaultSubject() actually does anything.  In the comments I notice 
that the Service class is being initialized according to AGEP-0112.  
Perhaps that's worth a look.  I go looking for AGEP-0112.
Not knowing exactly where they are stored, I search from accessgrid.org 
home page, no matches found.  I search for AGEP and find two entries. in 
the first one, I find a link to
http://www-unix.mcs.anl.gov/fl/research/accessgrid/documentation/agep/AGEP-0109.html
I alter the link to be
http://www-unix.mcs.anl.gov/fl/research/accessgrid/documentation/agep/AGEP-0112.html  

The page informs me about the init code for AGtk.
Step 3 is Security Environment verification and Globus Initialization is 
listed as a bullet under that.  One other section mentions security:
Security Issues

This work should make the toolkit more secure, by enforcing all software 
built using the AGTk conforms to the security environment created by the 
AGTk.

Also this:
Related AGEPs

    * Platform Refactoring 213
    * Authorization Refactoring 213
    * Core Refactoring 213

I just need to figure out what they mean.

I try 
http://www-unix.mcs.anl.gov/fl/research/accessgrid/documentation/agep/AGEP-0213.html
No luck
http://www-unix.mcs.anl.gov/fl/research/accessgrid/documentation/agep/
reveals an index of the AGEPs.  Bookmark this page.
I find Authorization Refactoring as AGEP-105
AGEP-0105.html gives much more detail.  But authorization seems to only 
refer to getting access to a venue.
A look at the platform refactoring AGEP-108 doesn't offer much more info.

Look back at AGEP search and look at second entry, but the link in that 
message is the same as the previous link.

Go back to 
ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py-Service.instance().GetDefaultSubject() 
and look at the alternatives to see if they give me any clues.  Looking 
at this again, I see that the alternatives refer to the other classes in 
this file.  So that doesn't tell me anything.

One thing I do notice is: from AccessGrid.Security import X509Subject
So let's see what X509Subject does...  this leads to Subject.py in the 
same directory which seems to lead back to X509Subject...

hmm...


At this point, I don't know where to look, I'm stuck on where to go from 
ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py-Service.instance().GetDefaultSubject().
So I'll post this to ag-tech in the hopes that someone can point me in 
the right direction.

Lessons learned:
Be very specific when stating the goal

Start with the API reference:
http://www-unix.mcs.anl.gov/fl/research/accessgrid/documentation/developer/api/index.html

Be aware to look in the current install rather than just the module 
checked out from cvs.

I hope this helps.  Anyone have any ideas on where I should look next?

-- 
Thanx,

Michael Miller
System Engineer
Video Technology Services
Persistent Infrastructure Directorate
National Center for Supercomputing Applications
University of Illinois - UC
217-649-0747

"If you're clear in your vision and trust the people in your team with clear objectives, they will invariably do their best to achieve everything desired, and usually deliver everything you could have hoped for and even more." -Paul Debevec




More information about the ag-dev mailing list