[AG-TECH] Advenutures of a newbie AGtk developer

mimiller at ncsa.uiuc.edu mimiller at ncsa.uiuc.edu
Thu May 19 14:41:18 CDT 2005

I thought I'd try to keep a diary of my experiences as I look to add 
something to the AGtk.  hopefully this will point out where things can be 
improved or docs be created to help new developers find what they need.

So my goal today is to add an alert message that tells the user his/her 
globus certificate is expired.

Not knowing anything about how globus is implemented, I start with what I 
percieve as the beginning:
Search ag_source/ag2.3+/AccessGrid/bin/VenueClient.py for "cert" , nothing 
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClient.py for "cert" , 
nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientUI.py for "cert" , 
nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientObserver.py for 
"cert" , nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientController.py for 
"cert" , find:

     ManageCertificates menu is provided by CertMgmt module
hmmm, this is interesting I wonder where the CertMgmt module is.

consult online API and find that "The Security module encapsulates all the 
interfaces used by the Access Grid Toolkit for doing

security related work"

ok, now I have a real lead here.

Look in ag_source/ag2.3+/AccessGrid/AccessGrid/Security
ProxyGen.py stands out because that's the point where I want to put the 
alert message
in here I find a function that uses the command line grid-proxy-init tool 
to create a proxy.
but upon looking for the tool on my machine in the path described, I can't 
find the executable.
there is an error check here for a bad password, perhaps instead of looking 
for a specific error, I could just pass whatever error string is 
returned.  The entire returned value is sent to GridProxyInitError in other 
cases, but I'm thinking that function just dumps something in a log, which 
is not always helpful to the average user.  and it's obvious that this is 
not the way proxies are currently created so, let's look elsewhere.

search ag_source for anything named grid-proxy-init
all I find is a couple directories with c source files, in old versions of 
the source that I have kept around.
not what I'm looking for.
so the proxying must be occurring some other way.
I remember something about pyGlobus.  Looking further into ProxyGen.py I 
find CreateGlobusProxyProgrammatic
This function uses a security.grid_proxy_init function and I see that 
security is imported from pyGlobus
Ok, so I'm on the right track, but where is pyGlobus?  I don't find it in 
the AccessGrid module I downloaded from cvs.
Well it must be in my current install so I look there:
There it is! and in here I find security.py. Since ProxyGen imports this 
whole file, I look through all of it looking for the mechnism that looks at 
the actual cert.  The idea being that I want to grab the expiration date 
and compare it to the current date.

So the important function here is grid_proxy_init which uses a 
grid_proxy_init or grid_proxy_init2 function from sslutilsc
So I look at sslutilsc, the only thing I find is sslutilsc.pyd. Boa(my 
source editor) can see the functions inside, but is reluctant to show me 
the source...
I see many functions that look like they would return various parameters 
from the cert:
proxy_cred_desc_struct_certdir_get would return the directory where the 
cert is kept.
proxy_cred_desc_struct_hPrivKey_get would return the hash of the Private Key.

But nowhere do I see that I can grab the expiration date for the cert.

Now I'm thinking that the bad password message gets displayed, so I should 
look for where that occurs, because I didn't see it in ProxyGen.py before.
In ProxyGen.py I look at CreateGlobusProxyProgrammatic and find there are 
exceptions that include an error message about an expired cert.  So I'll 
have to test this with an expired cert.  I wonder how I might create that...?

Anyway, this focuses my attention a bit and I redefine my goal to more 
directly address the problem I had yesterday.
Goal: When a service is started using a service cert, check to see if the 
service cert is expired. If so, alert the user at the VenueClient.

So now I need to figure out where services are started.  I consult the API.
AGNodeService, AGService and AGServiceManager stand out
I start with AGServiceManager because that's what will have to consult the 
service cert first? just a guess.
AGServiceManagerIW doesn't have any interface for checking the cert.
AGServiceManagerI looks the same as the IW
AGServiceManager looks the same as the I
So I look at ag_source/ag2.3+/AccessGrid/bin/AGServiceManager to see where 
it checks for a cert
I don't find anything directly related here. but "from AccessGrid.Toolkit 
import Service" makes me think that might be a place to look.
in ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py I find the Service 
class and in there is a commented function _CheckRequestedCert.  I keep 
looking and below that I find the Initialize function which calls 
GetDefaultSubject(), which is a wrapper for 
Service.instance().GetDefaultSubject() with a couple alternatives in case 
that call fails.
So I look for Service.instance().GetDefaultSubject() but instance is there 
just to assure that we are only dealing with one particular instance of a 
service and based on the indentation, GetDefaultSubject() is defined 
outside the Service class.  So now I'm confused as to where 
GetDefaultSubject() actually does anything.  In the comments I notice that 
the Service class is being initialized according to AGEP-0112.  Perhaps 
that's worth a look.  I go looking for AGEP-0112.
Not knowing exactly where they are stored, I search from accessgrid.org 
home page, no matches found.  I search for AGEP and find two entries. in 
the first one, I find a link to
I alter the link to be

The page informs me about the init code for AGtk.
Step 3 is Security Environment verification and Globus Initialization is 
listed as a bullet under that.  One other section mentions security:
Security Issues

This work should make the toolkit more secure, by enforcing all software 
built using the AGTk conforms to the security environment created by the AGTk.

Also this:
Related AGEPs

     * Platform Refactoring 213
     * Authorization Refactoring 213
     * Core Refactoring 213

I just need to figure out what they mean.

I try 
No luck
reveals an index of the AGEPs.  Bookmark this page.
I find Authorization Refactoring as AGEP-105
AGEP-0105.html gives much more detail.  But authorization seems to only 
refer to getting access to a venue.
A look at the platform refactoring AGEP-108 doesn't offer much more info.

Look back at AGEP search and look at second entry, but the link in that 
message is the same as the previous link.

Go back to 
and look at the alternatives to see if they give me any clues.  Looking at 
this again, I see that the alternatives refer to the other classes in this 
file.  So that doesn't tell me anything.

One thing I do notice is: from AccessGrid.Security import X509Subject
So let's see what X509Subject does...  this leads to Subject.py in the same 
directory which seems to lead back to X509Subject...


At this point, I don't know where to look, I'm stuck on where to go from 
So I'll post this to ag-tech in the hopes that someone can point me in the 
right direction.

Lessons learned:
Be very specific when stating the goal

Start with the API reference:

Be aware to look in the current install rather than just the module checked 
out from cvs.

I hope this helps.  Anyone have any ideas on where I should look next?


Michael Miller
System Engineer
Video Technology Services
Persistent Infrastructure Directorate
National Center for Supercomputing Applications
University of Illinois - UC

"If you're clear in your vision and trust the people in your team with 
clear objectives, they will invariably do their best to achieve everything 
desired, and usually deliver everything you could have hoped for and even 
more." -Paul Debevec 

More information about the ag-tech mailing list