Implement and test GSI auth on our docker stack for B2SAFE

[pdonorio]

• Use a shared volume across containers to have the needed certificates while testing
• Implement certification authority and request/sign on the irods server side

[pdonorio]

Implement certification authority and request/sign on the irods server side

waiting for @muccix on this task

[pdonorio]

I added the shared volume, see 1ae8689 , but this has yet to be tested

[muccix]

Ont the SERVER container:

• both a CA and a signed host certificate are already there, so no need to run "grid-ca-create" and sign the host certificate.
• generated the request for the user certificate with "grid-cert-request -nopw" (this can be done at client side as well but the command is missing there)
• signed the request with "grid-ca-sign -in usercert_request.pem -out usercert.pem". Both the usercert.pem and the userkey.pem are in the "/home/irods/.globus/" which is shared with the client container

On the CLIENT container:

• created the user "rmucci" in iRODS with "iadmin mkuser rmucci rodsuser" and set the certificate DN with "iadmin aua rmucci '/O=Grid/OU=GlobusTest/OU=simpleCA-62744a2b1a07/OU=Globus Simple CA/CN=Roberto Mucci'"
• created a new unix user "rmucci", copied the certificates in .globus/ , created the .irods/irods_environment.json as:

{ "irods_host": "rodserver", "irods_port": 1247, "irods_user_name": "rmucci", "irods_zone_name": "tempZone", "irods_authentication_scheme": "GSI" }

• run "grid-proxy-init" to generate a proxy certificate
• as rmucci user run "ils" but the iRODS GSI plugin seems to fail with the following error:

ERROR: [-] iRODS/lib/core/src/clientLogin.cpp:293:clientLogin : status [PLUGIN_ERROR_MISSING_SHARED_OBJECT] errno [] -- message [] [-] iRODS/lib/core/src/irods_gsi_object.cpp:34:resolve : status [PLUGIN_ERROR_MISSING_SHARED_OBJECT] errno [] -- message [Failed to load the GSI auth plugin.] [-] iRODS/lib/core/src/irods_auth_manager.cpp:76:init_from_type : status [PLUGIN_ERROR_MISSING_SHARED_OBJECT] errno [] -- message [Failed to load auth plugin.] [-] iRODS/lib/core/src/irods_auth_manager.cpp:55:load_auth_plugin : status [PLUGIN_ERROR_MISSING_SHARED_OBJECT] errno [] -- message [Failed to load plugin: "gsi".] [-] iRODS/lib/core/include/irods_load_plugin.hpp:175:load_plugin : status [PLUGIN_ERROR_MISSING_SHARED_OBJECT] errno [] -- message [shared library does not exist [/var/lib/irods/plugins/auth/libgsi.so]]

[akrause2014]

On the CLIENT container:

• To fix the failure you have to copy the GSI authentication plugin from the iRODS installation on the SERVER container at /var/lib/irods/plugins/auth/libgsi.so. (Installing the iRODS authentication package on the client doesn't work because it expects an iRODS server.)
• To provide the location of the X509 proxy use the environment variable X509_USER_PROXY. This will be useful for delegated proxy certificates downloaded from a proxy server.
• The GSI authentication plugin will create the proxy for you if it is not available when connecting to the iRODS server.

[pdonorio]

@akrause2014

To fix the failure you have to copy the GSI authentication plugin from the iRODS installation on the SERVER container at /var/lib/irods/plugins/auth/libgsi.so. (Installing the iRODS authentication package on the client doesn't work because it expects an iRODS server.)

I will try to look for an automatic solution to add at 'init time' (or even better inside the Dockerfile) on this. Probably there could be a way to extract the so file from the deb package.

The GSI authentication plugin will create the proxy for you if it is not available when connecting to the iRODS server.

Wow that's great. I will try to reproduce now the actions of both Roberto and your comments.

[pdonorio]

Just for the record, here is the link to the security schema we were following together with Roberto.

[pdonorio]

both a CA and a signed host certificate are already there

@muccix not for me. we can discuss this tomorrow, but i cannot find it on the server for the user 'irods'.

To make sure there are no errors is better to remove the docker volumes before doing the tests.

[muccix]

@akrause2014 thank you! Following your suggestions we were able to use icommands via GSI. I forgot that the GSI plugin is needed at client side as well. Probably the new release has also added the feature for the management of the proxy without the need to create it with grid-proxy-init.

[pdonorio]

Hello there, almost seeing the light.

By adding things directly on the container Roberto and I managed to make things work.

I automatized everything in the Dockerfile builds (see recent commits) but i am getting an error on the client side:

guest@flask:~$ ils
ERROR: unpackNonpointerItem: strlen of msg > dim size, content: DEBUG: On iRODS-Server side: GSS-API error acquiring credentials: GSS Minor Status Error Chain:

There should be something i am missing, i hope that next week my mind will be clearer and Roberto may help me out.

Another last point, to get the libgsi.so on the client side i shared a volume. I don't like this hack, i want to see how to install the library on the client too, and Roberto led me to follow this instructions. Will do.

[pdonorio]

Dear all, all the problems have been solved, also thanks to @muccix

1. What we were missing for make things work was the right permissions of the grid certificates on the irods user
2. i downloaded the gsi deb and unpacked the content to make the libgsi.so available without installing

The discussion goes now on the development side, see the related issue.