Table of Contents
- 1. Introduction
- 2. Command-line tools
- 3. Graphical user interfaces
- 4. Troubleshooting
- 4.1. AuthorizationException: "test DN" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken
- 4.2. AuthorizationException: "test DN" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}refresh
- 4.3. CoG Configuration and troubleshooting
The delegation service can be used when a user wants to delegate rights to a service that is hosted in the same container as the delegation service. The delegation service accepts a credential from the user and provides access to that credential to any authorized service that runs in the same container. Upon delegation to the service an endpoint reference to the delegated credential is returned to the client, which can then be furnished to other services as a handle to the credential.
Moreover, the endpoint reference returned on delegation can be used by the client to refresh the credential stored with the delegation service. When the client performs a refresh the service sends notifications to any service that has registered interest in that particular credential.
The generic client wsrf-destroy can be used to remove the delegated credential.
![]() | Note |
---|---|
If the service being contacted is using GSI Secure Transport, then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials. |
Please see the Delegation Service Command Reference.
This exception can occur when a client whose DN is not in the grid map file configured for the delegation factory service attempts to delegate (using globus-credential-delegate) a credential to the factory service.
![]() | Note |
---|---|
The test DN specified in the error message is just a placeholder and will contain the DN of the user attempting to access the credential. |
This exception can occur when a client attempts to refresh a credential it did not delegate (using globus-credential-refresh).
![]() | Note |
---|---|
The test DN specified in the error message is just a placeholder and will contain the DN of the user attempting to access the credential. |
Also, for security related troubleshooting the CoG FAQ might prove useful (especially sections on configuring credentials, CAs and so on.)