GSI
2.0: Proxy Definitions and Behavior
Definitions of Limited and Full
Proxy Full Proxy Limited Proxy Full Delegation Limited Delegation When performing GSI authentication there are three modes
of operation: Default GSS_C_GLOBUS_LIMITED_PROXY_FLAG GSS_C_GLOBUS_LIMITED_PROXY_MANY_FLAG
A Full Proxy is a proxy that has been created by grid-proxy-init or a
proxy created from such a proxy by normal delegation mechanisms.
A Limited Proxy is a proxy that is created from a Full Proxy
when it delegated with the limited delegation mechanism. The first
time a proxy is created by the limited delegation mechanism a level 1 Limited Proxy is created. Any subsequent delegation (limited or
full) of a level N Limited Proxy creates a level N+1 limited proxy.
Full delegation is the default with the GSI library when
delegation is requested (note this may vary with individual
applications). Full delegation of a Full Proxy results in a Full Proxy
on the remote side. Full delegation of a level N Limited Proxy results
in a level N+1 Limited Proxy.
Limited delegation is the result of performing delegation with
the GSI library when the GSS_C_GLOBUS_LIMITED_DELEG_PROXY_FLAG is also
given. Limited Delegation of a Full Proxy results in a level 1 Limited Proxy. Limited delegation of a level N Limited Proxy results
in a level N+1 Limited Proxy.
In this mode a Full Proxy or a level 1 Limited Proxy will be
accepted for authentication.
With this flag only a Full Proxy will be accepted for
authentication. This mode should be used by applications that do job
start-up (e.g. the gatekeeper and sshd).
With this flag any Full Proxy or Limited Proxy (of any level) will be
accepted. This mode is currently used for data channel authentication
with GridFTP.