Hi all,
It's always bothered me (and my site admins!) that Xrootd uses relatively rudimentary authorization compared to other deployed grid tools. Attached is a patch aimed to fix this.
It changes the way the GSI security module maps a remote user to a local username. Currently, it does this based on the certificate's DN and can dlopen() a shared library to provide the mapping, or just do a normal grid-mapfile lookup. The attached patch additionally adds a means for Xrootd to dlopen() a shared library which is mapped the PEM-formatted certificate chain instead of the DN. This allows the loaded module to make mapping decisions based on other things, such as VOMS attributes.
You can download sources for the loadable module I'll be using here:
svn://t2.unl.edu/brian/XrdLcmaps
This module hands off the cert chain to the LCMAPS library developed in gLite, which can enforce different flexible authz policies. At our site, this involves GUMS, but it should support any authz policy deployed in EGI or OSG.
Let me know your thoughts,
Brian
|