Hi Andy,
I agree on being careful and asking others. At the same time
it seems to me that the main consumer of that field is the default
Acc plugin. Which format does it expect for the "group" field ?
- comma-separated list of groups or just one?
- should they start with a slash (why?!?!) as I see in the example
configs?
As I said, we can publish a fix to epel pretty quickly, and I would like it to be
the right thing :-)
Cheers
Fabrizio
On 08/21/2017 10:23 AM, xrootd-dev wrote:
> Hi Fabrizio,
>
> My first take is that the group field should be populated; it's part of
> the x509 cert. I'd like to say that it should be populated just the same
> way as the VOMS plugin does. I say "like" because I'm not convinced that
> the VOMS plugin actually does it the right way (hence your question about
> the slash). So, let's see what other people say before we change
> anything. Mind you we do have compatability issues here but it would be
> good to hear from others anyway.
>
> Andy
>
> On Mon, 21 Aug 2017, Fabrizio Furano wrote:
>
>> Hi,
>>
>> well, if you think that xrdhttpvoms should populate one more
>> field (group) we can do it and publish pretty quickly to epel.
>>
>> How should it be populated ? Shall the group names start with
>> a slash ?
>>
>> Cheers
>> Fabrizio
>>
>>
>>
>> On 08/20/2017 09:50 PM, xrootd-dev wrote:
>>> It would appear that the voms plugin used by xrootd authentication
>>> populates te group field while the HTTP one does not (or populates it in a
>>> different way). This I deduce because you said:
>>>
>>> g /atlas /beegfs/grid/atlas/atlaslocalgroupdisk
>>> ```
>>> Changing that to:
>>> ```
>>> u * /beegfs/grid/atlas/atlaslocalgroupdisk
>>> ```
>>> let's things work fine, but of course I do not want that.
>>>
>>> The authentication rule works perfectly fine via the xrootd protocol.
>>>
>>> So, the question is why is this he case?
>>>
>>> Yes, to switch to using o and r as well as composite rules (i.e. ones that
>>> "and" o and r, among others), will be available in 4.7.0.
>>>
>>> Andy
>>>
>>> On Sun, 20 Aug 2017, olifre wrote:
>>>
>>>>> LCMAPS provides the username mapping and extraction, then maps VOMS groups to the Xrootd group names.
>>>>
>>>> This sounds like a nice alternative! I looked at `xrdhttpvoms` since it seemed to be more lightweight.
>>>>
>>>> I'll have a look after my holidays are over - unless xrootd 4.7 comes out in the meanwhile and let's `xrdhttpvoms` magically
>>> work when using `o` ;-).
>>>>
>>>> --
>>>> You are receiving this because you are subscribed to this thread.
>>>> Reply to this email directly or view it on GitHub:
>>>> https://github.com/xrootd/xrootd/issues/566#issuecomment-323602010
>>>>
>>>> ########################################################################
>>>> Use REPLY-ALL to reply to list
>>>>
>>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>
>>> ÿÿ
>>> You are receiving this because you were mentioned.
>>> Reply to this email directly, view it on GitHub <https://github.com/xrootd/xrootd/issues/566#issuecomment-323607626>, or mute
>>> the thread <https://github.com/notifications/unsubscribe-auth/AFIaTyvV234WQczGu3jLC_IrkOHA33bfks5saI4ggaJpZM4O7mEG>.
>>>
>>
>>
>> --
>> You are receiving this because you commented.
>> Reply to this email directly or view it on GitHub:
>> https://github.com/xrootd/xrootd/issues/566#issuecomment-323673009
>> ########################################################################
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-DEV list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <https://github.com/xrootd/xrootd/issues/566#issuecomment-323678995>, or mute
> the thread <https://github.com/notifications/unsubscribe-auth/AFIaT2o5bP6ZRRwXNsf0gWhQJkh5t3iIks5saT6UgaJpZM4O7mEG>.
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@ffurano in #566: Hi Andy,\n\n I agree on being careful and asking others. At the same time\nit seems to me that the main consumer of that field is the default\nAcc plugin. Which format does it expect for the \"group\" field ?\n\n - comma-separated list of groups or just one?\n - should they start with a slash (why?!?!) as I see in the example\n configs?\n\nAs I said, we can publish a fix to epel pretty quickly, and I would like it to be\nthe right thing :-)\n\nCheers\nFabrizio\n\n\n\nOn 08/21/2017 10:23 AM, xrootd-dev wrote:\n\u003e Hi Fabrizio,\n\u003e \n\u003e My first take is that the group field should be populated; it's part of\n\u003e the x509 cert. I'd like to say that it should be populated just the same\n\u003e way as the VOMS plugin does. I say \"like\" because I'm not convinced that\n\u003e the VOMS plugin actually does it the right way (hence your question about\n\u003e the slash). So, let's see what other people say before we change\n\u003e anything. Mind you we do have compatability issues here but it would be\n\u003e good to hear from others anyway.\n\u003e \n\u003e Andy\n\u003e \n\u003e On Mon, 21 Aug 2017, Fabrizio Furano wrote:\n\u003e \n\u003e\u003e Hi,\n\u003e\u003e\n\u003e\u003e well, if you think that xrdhttpvoms should populate one more\n\u003e\u003e field (group) we can do it and publish pretty quickly to epel.\n\u003e\u003e\n\u003e\u003e How should it be populated ? Shall the group names start with\n\u003e\u003e a slash ?\n\u003e\u003e\n\u003e\u003e Cheers\n\u003e\u003e Fabrizio\n\u003e\u003e\n\u003e\u003e\n\u003e\u003e\n\u003e\u003e On 08/20/2017 09:50 PM, xrootd-dev wrote:\n\u003e\u003e\u003e It would appear that the voms plugin used by xrootd authentication\n\u003e\u003e\u003e populates te group field while the HTTP one does not (or populates it in a\n\u003e\u003e\u003e different way). This I deduce because you said:\n\u003e\u003e\u003e\n\u003e\u003e\u003e g /atlas /beegfs/grid/atlas/atlaslocalgroupdisk\n\u003e\u003e\u003e ```\n\u003e\u003e\u003e Changing that to:\n\u003e\u003e\u003e ```\n\u003e\u003e\u003e u * /beegfs/grid/atlas/atlaslocalgroupdisk\n\u003e\u003e\u003e ```\n\u003e\u003e\u003e let's things work fine, but of course I do not want that.\n\u003e\u003e\u003e\n\u003e\u003e\u003e The authentication rule works perfectly fine via the xrootd protocol.\n\u003e\u003e\u003e\n\u003e\u003e\u003e So, the question is why is this he case?\n\u003e\u003e\u003e\n\u003e\u003e\u003e Yes, to switch to using o and r as well as composite rules (i.e. ones that\n\u003e\u003e\u003e \"and\" o and r, among others), will be available in 4.7.0.\n\u003e\u003e\u003e\n\u003e\u003e\u003e Andy\n\u003e\u003e\u003e\n\u003e\u003e\u003e On Sun, 20 Aug 2017, olifre wrote:\n\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e\u003e LCMAPS provides the username mapping and extraction, then maps VOMS groups to the Xrootd group names.\n\u003e\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e This sounds like a nice alternative! I looked at `xrdhttpvoms` since it seemed to be more lightweight.\n\u003e\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e I'll have a look after my holidays are over - unless xrootd 4.7 comes out in the meanwhile and let's `xrdhttpvoms` magically\n\u003e\u003e\u003e work when using `o` ;-).\n\u003e\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e --\n\u003e\u003e\u003e\u003e You are receiving this because you are subscribed to this thread.\n\u003e\u003e\u003e\u003e Reply to this email directly or view it on GitHub:\n\u003e\u003e\u003e\u003e https://github.com/xrootd/xrootd/issues/566#issuecomment-323602010\n\u003e\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e ########################################################################\n\u003e\u003e\u003e\u003e Use REPLY-ALL to reply to list\n\u003e\u003e\u003e\u003e\n\u003e\u003e\u003e\u003e To unsubscribe from the XROOTD-DEV list, click the following link:\n\u003e\u003e\u003e\u003e https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV\u0026A=1\n\u003e\u003e\u003e\n\u003e\u003e\u003e ÿÿ\n\u003e\u003e\u003e You are receiving this because you were mentioned.\n\u003e\u003e\u003e Reply to this email directly, view it on GitHub \u003chttps://github.com/xrootd/xrootd/issues/566#issuecomment-323607626\u003e, or mute\n\u003e\u003e\u003e the thread \u003chttps://github.com/notifications/unsubscribe-auth/AFIaTyvV234WQczGu3jLC_IrkOHA33bfks5saI4ggaJpZM4O7mEG\u003e.\n\u003e\u003e\u003e\n\u003e\u003e\n\u003e\u003e\n\u003e\u003e --\n\u003e\u003e You are receiving this because you commented.\n\u003e\u003e Reply to this email directly or view it on GitHub:\n\u003e\u003e https://github.com/xrootd/xrootd/issues/566#issuecomment-323673009\n\u003e\u003e ########################################################################\n\u003e\u003e Use REPLY-ALL to reply to list\n\u003e\u003e\n\u003e\u003e To unsubscribe from the XROOTD-DEV list, click the following link:\n\u003e\u003e https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV\u0026A=1\n\u003e\u003e\n\u003e \n\u003e —\n\u003e You are receiving this because you were mentioned.\n\u003e Reply to this email directly, view it on GitHub \u003chttps://github.com/xrootd/xrootd/issues/566#issuecomment-323678995\u003e, or mute\n\u003e the thread \u003chttps://github.com/notifications/unsubscribe-auth/AFIaT2o5bP6ZRRwXNsf0gWhQJkh5t3iIks5saT6UgaJpZM4O7mEG\u003e.\n\u003e \n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/566#issuecomment-323683599"}}}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
