CSEC_API(3) | LCG Security Functions | CSEC_API(3) |
Csec_api - Provides authentication in LCG services
Header file:
#include <Csec_api.h>
On the client side:
int Csec_client_initContext(Csec_context_t *ctx,
int service_type, Csec_protocol
*protocols);
int Csec_client_establishContext(Csec_context_t *ctx, int
socket);
int Csec_client_setSecurityOpts(Csec_context_t *ctx, int
opt);
int Csec_client_setAuthorizationId(Csec_context_t *ctx, const
char *mech, const char *name);
int Csec_client_setVOMS_data(Csec_context_t *ctx, const char
*voname, char **fqan, int
nbfqan);
On the server side:
int Csec_server_initContext(Csec_context_t *ctx,
int service_type, Csec_protocol
*protocols);
int Csec_server_reinitContext (Csec_context_t *ctx, int
service_type, Csec_protocol
*protocols);
int Csec_server_establishContext (Csec_context_t *ctx, int
socket);
int Csec_server_getClientId(Csec_context_t *ctx, char
**mech, char **name);
int Csec_server_getAuthorizationId(Csec_context_t *ctx, char
**mech, char **name);
int Csec_server_getDelegatedCredentials(Csec_context_t *ctx,
char **mech, void ** buf, size_t
*size);
int Csec_server_setSecurityOpts(Csec_context_t *ctx, int
opt);
char *Csec_server_get_client_ca(Csec_context_t *ctx);
char *Csec_server_get_client_vo(Csec_context_t *ctx);
char **Csec_server_get_client_fqans(Csec_context_t *ctx, int
*nbfqan);
Common functions:
int Csec_clearContext(Csec_context_t *ctx);
int Csec_getErrorMessage();
int Csec_getErrorMessageSummary(size_t maxlen);
int Csec_mapToLocalUser(const char *mech, const char
*name, char *username, size_t
username_size, uid_t *uid, gid_t
*gid);
Csec_context_t * Csec_get_default_context();
Csec_api functions allow for the implimentation of strong authentication mechanisms in LCG servers and clients. Csec_api is integrated with the LCG framework for errors.
CSEC_OPT_DELEG_FLAG
Requests that delegated credentials from the client are made available to
the server. Either the client or server may set this option and it will
automaticaly limit the selection of authentication method to one that
supports delegation. (Currently only GSI)
CSEC_OPT_NODELEG_FLAG
This directs that client/server to disallow delegation. If the other side
requests delegation the establishing of a security context will
fail.
If neither side sets any options the default behaviour is to not delegate a credential.
On the server side, the AuthorizationId may be retrieved after the security context is established. If the client did not set any id the server will receive an error when Csec_server_getAuthorizationId() is called. Pointers to the mechanism and the name will be returned in mech and name. Either may be set to NULL, in which case no pointer is returned. Upon successful return the list of VOMS fqans and the VOMS voname available to the server will also be reset to those which the client set manually, or will be emptied if the client did not set any. The strings returned are associated with the context and should be copied before the context is reset or cleared.
In case of errors in the Csec_pai layer, the functions return -1 (or NULL for the functions returning strings), the serrno is set accordingly. It is possible to get the detailed error message by using the Csec_getErrorMessage() or Csec_getErrorMessageSummary() functions. The Csec_getErrorMessageSummary() function will return a summary message that should need at most maxlen bytes of storage (including the terminating null). The detail of the message may be cut in various ways to reduce the length to fix in the specified length.
The currently supported methods for authentication are:
If the Csec_api library was compiled thread safe (eg. was built defining the _THREAD_SAFE macro, which is the standard way) then the library should be thread safe. If the application using Csec_api also defines _THREAD_SAFE, Csec attempts to use thread safe versions of any underlying security libraries that are used for the authentication service.
For instance, in the case of GSI the thread safe version of Globus may, in areas other than security, sometimes create threads. If the application using Csec_api needs to link to the GSI libraries for its own use then threading flavour should be consistent. Therefore if the non threaded Globus libraries are required then do not define the _THREAD_SAFE macro.
LCG Grid Deployment Team
$Date: 2010-08-04 09:17:39 +0200 (Wed, 04 Aug 2010) $ | LCG |