[AG-TECH] Advenutures of a newbie AGtk developer
mimiller at ncsa.uiuc.edu
mimiller at ncsa.uiuc.edu
Thu May 19 14:41:18 CDT 2005
I thought I'd try to keep a diary of my experiences as I look to add
something to the AGtk. hopefully this will point out where things can be
improved or docs be created to help new developers find what they need.
So my goal today is to add an alert message that tells the user his/her
globus certificate is expired.
Not knowing anything about how globus is implemented, I start with what I
percieve as the beginning:
Search ag_source/ag2.3+/AccessGrid/bin/VenueClient.py for "cert" , nothing
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClient.py for "cert" ,
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientUI.py for "cert" ,
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientObserver.py for
"cert" , nothing found
Search ag_source/ag2.3+/AccessGrid/AccessGrid/VenueClientController.py for
"cert" , find:
ManageCertificates menu is provided by CertMgmt module
hmmm, this is interesting I wonder where the CertMgmt module is.
consult online API and find that "The Security module encapsulates all the
interfaces used by the Access Grid Toolkit for doing
security related work"
ok, now I have a real lead here.
Look in ag_source/ag2.3+/AccessGrid/AccessGrid/Security
ProxyGen.py stands out because that's the point where I want to put the
in here I find a function that uses the command line grid-proxy-init tool
to create a proxy.
but upon looking for the tool on my machine in the path described, I can't
find the executable.
there is an error check here for a bad password, perhaps instead of looking
for a specific error, I could just pass whatever error string is
returned. The entire returned value is sent to GridProxyInitError in other
cases, but I'm thinking that function just dumps something in a log, which
is not always helpful to the average user. and it's obvious that this is
not the way proxies are currently created so, let's look elsewhere.
search ag_source for anything named grid-proxy-init
all I find is a couple directories with c source files, in old versions of
the source that I have kept around.
not what I'm looking for.
so the proxying must be occurring some other way.
I remember something about pyGlobus. Looking further into ProxyGen.py I
This function uses a security.grid_proxy_init function and I see that
security is imported from pyGlobus
Ok, so I'm on the right track, but where is pyGlobus? I don't find it in
the AccessGrid module I downloaded from cvs.
Well it must be in my current install so I look there:
There it is! and in here I find security.py. Since ProxyGen imports this
whole file, I look through all of it looking for the mechnism that looks at
the actual cert. The idea being that I want to grab the expiration date
and compare it to the current date.
So the important function here is grid_proxy_init which uses a
grid_proxy_init or grid_proxy_init2 function from sslutilsc
So I look at sslutilsc, the only thing I find is sslutilsc.pyd. Boa(my
source editor) can see the functions inside, but is reluctant to show me
I see many functions that look like they would return various parameters
from the cert:
proxy_cred_desc_struct_certdir_get would return the directory where the
cert is kept.
proxy_cred_desc_struct_hPrivKey_get would return the hash of the Private Key.
But nowhere do I see that I can grab the expiration date for the cert.
Now I'm thinking that the bad password message gets displayed, so I should
look for where that occurs, because I didn't see it in ProxyGen.py before.
In ProxyGen.py I look at CreateGlobusProxyProgrammatic and find there are
exceptions that include an error message about an expired cert. So I'll
have to test this with an expired cert. I wonder how I might create that...?
Anyway, this focuses my attention a bit and I redefine my goal to more
directly address the problem I had yesterday.
Goal: When a service is started using a service cert, check to see if the
service cert is expired. If so, alert the user at the VenueClient.
So now I need to figure out where services are started. I consult the API.
AGNodeService, AGService and AGServiceManager stand out
I start with AGServiceManager because that's what will have to consult the
service cert first? just a guess.
AGServiceManagerIW doesn't have any interface for checking the cert.
AGServiceManagerI looks the same as the IW
AGServiceManager looks the same as the I
So I look at ag_source/ag2.3+/AccessGrid/bin/AGServiceManager to see where
it checks for a cert
I don't find anything directly related here. but "from AccessGrid.Toolkit
import Service" makes me think that might be a place to look.
in ag_source/ag2.3+/AccessGrid/AccessGrid/Toolkit.py I find the Service
class and in there is a commented function _CheckRequestedCert. I keep
looking and below that I find the Initialize function which calls
GetDefaultSubject(), which is a wrapper for
Service.instance().GetDefaultSubject() with a couple alternatives in case
that call fails.
So I look for Service.instance().GetDefaultSubject() but instance is there
just to assure that we are only dealing with one particular instance of a
service and based on the indentation, GetDefaultSubject() is defined
outside the Service class. So now I'm confused as to where
GetDefaultSubject() actually does anything. In the comments I notice that
the Service class is being initialized according to AGEP-0112. Perhaps
that's worth a look. I go looking for AGEP-0112.
Not knowing exactly where they are stored, I search from accessgrid.org
home page, no matches found. I search for AGEP and find two entries. in
the first one, I find a link to
I alter the link to be
The page informs me about the init code for AGtk.
Step 3 is Security Environment verification and Globus Initialization is
listed as a bullet under that. One other section mentions security:
This work should make the toolkit more secure, by enforcing all software
built using the AGTk conforms to the security environment created by the AGTk.
* Platform Refactoring 213
* Authorization Refactoring 213
* Core Refactoring 213
I just need to figure out what they mean.
reveals an index of the AGEPs. Bookmark this page.
I find Authorization Refactoring as AGEP-105
AGEP-0105.html gives much more detail. But authorization seems to only
refer to getting access to a venue.
A look at the platform refactoring AGEP-108 doesn't offer much more info.
Look back at AGEP search and look at second entry, but the link in that
message is the same as the previous link.
Go back to
and look at the alternatives to see if they give me any clues. Looking at
this again, I see that the alternatives refer to the other classes in this
file. So that doesn't tell me anything.
One thing I do notice is: from AccessGrid.Security import X509Subject
So let's see what X509Subject does... this leads to Subject.py in the same
directory which seems to lead back to X509Subject...
At this point, I don't know where to look, I'm stuck on where to go from
So I'll post this to ag-tech in the hopes that someone can point me in the
Be very specific when stating the goal
Start with the API reference:
Be aware to look in the current install rather than just the module checked
out from cvs.
I hope this helps. Anyone have any ideas on where I should look next?
Video Technology Services
Persistent Infrastructure Directorate
National Center for Supercomputing Applications
University of Illinois - UC
"If you're clear in your vision and trust the people in your team with
clear objectives, they will invariably do their best to achieve everything
desired, and usually deliver everything you could have hoped for and even
more." -Paul Debevec
More information about the ag-tech