 |
 |
On Jun 7, 2011, at 11:21 AM, Andrew Hanushevsky wrote: > > > On Tue, 7 Jun 2011, Brian Bockelman wrote: > >> >> On Jun 7, 2011, at 12:04 AM, Andrew Hanushevsky wrote: >> >>> Hi Matevz, >> >> There's two things here, no? The wire protocol, and what gets used internally. It's locally a huge issue to have the 8-character limit for authorization and logging, as almost none of our user accounts are 8 characters (in fact, about 3,000 of them are not uniquely identifiable by using only 8 characters). > The traceid is not secure it is not supposed to be used for authorization. Never never never. It is used merely for logging and has nothing to do with the authorization scheme. You *must* use the authenticated name for authorization and that is unlimited. Please do not confuse those two items. > Alright, now I'm confused. My understanding is that Matevz was complaining that the name recorded in the new monitoring record was truncated at 8 characters. I'm fine with the trace-id being "truncated", as we can back-track it to their login, which looks like this: 110607 02:47:20 5315 XrootdXeq: glxcuser.2050:[log in to unmask] login as uscmsPool1836 I assume the trace-id is the "glxcuser.2050:[log in to unmask]", which I'm assuming is simply an opaque unique identifier (and hence not meant to derive meaning, such as a user name, from). Brian