Hi,
FYI, we will push a new release of XrdHttpVOMS (0.2.5) to epel-testing in the next few days,
here's an example of the way it extracts groupnames from the primary fqan:
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - user: '/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano'
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - vorg: 'dteam'
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - fqan[0]:/dteam/Role=NULL/Capability=NULL
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - grps: '/dteam /dteam/Role=NULL /dteam/Role=NULL/Capability=NULL'
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - role: 'NULL'
170831 17:27:12 4327 furano.0:24@lxplus023 VOMS proxy info - name: '/DC=ch/DC=cern/OU=Organic
Units/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano' VO: dteam grps: '/dteam /dteam/Role=NULL /dteam/Role=NULL/Capability=NULL'
Please let me know if you think that there's anything to fix for XrdAcc to treat correctly these fields.
Cheers
Fabrizio
On 08/21/2017 10:00 PM, xrootd-dev wrote:
> Thank you Brian for explaining slash usage.
>
> On Mon, 21 Aug 2017, Brian Bockelman wrote:
>
>> Looking at what I did for `XrdLcmaps`:
>> - *space*-separated list of groups.
>> - They should start with a slash; VOMS groups are hierarchical (i.e., `/atlas/foo/bar` is distinct from `/atlas/baz`) unlike
> Unix groups.
>>
>> One open question is how we should handle a proxy certificate with multiple VOMS extensions present - i.e., a proxy
> certificate with both ATLAS and CMS extensions. After all, it's perfectly acceptable for the CMS VOMS server to sign an
> extensions with FQAN `/atlas`. It's traditional that CMS group names are prefixed with `/cms`, but not enforced or validated by
> the client.
>>
>> --
>> You are receiving this because you commented.
>> Reply to this email directly or view it on GitHub:
>> https://github.com/xrootd/xrootd/issues/566#issuecomment-323732506
>>
>> ########################################################################
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-DEV list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <https://github.com/xrootd/xrootd/issues/566#issuecomment-323838017>, or mute
> the thread <https://github.com/notifications/unsubscribe-auth/AFIaTwo5eEUSSlPBrtJwbPCOFLIQ-Ihxks5saeHsgaJpZM4O7mEG>.
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@ffurano in #566: Hi,\n\n FYI, we will push a new release of XrdHttpVOMS (0.2.5) to epel-testing in the next few days,\nhere's an example of the way it extracts groupnames from the primary fqan:\n\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - user: '/DC=ch/DC=cern/OU=Organic\nUnits/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano'\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - vorg: 'dteam'\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - fqan[0]:/dteam/Role=NULL/Capability=NULL\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - grps: '/dteam /dteam/Role=NULL /dteam/Role=NULL/Capability=NULL'\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS data - role: 'NULL'\n170831 17:27:12 4327 furano.0:24@lxplus023 VOMS proxy info - name: '/DC=ch/DC=cern/OU=Organic\nUnits/OU=Users/CN=furano/CN=644746/CN=Fabrizio Furano' VO: dteam grps: '/dteam /dteam/Role=NULL /dteam/Role=NULL/Capability=NULL'\n\n Please let me know if you think that there's anything to fix for XrdAcc to treat correctly these fields.\n\nCheers\nFabrizio\n\nOn 08/21/2017 10:00 PM, xrootd-dev wrote:\n\u003e Thank you Brian for explaining slash usage.\n\u003e \n\u003e On Mon, 21 Aug 2017, Brian Bockelman wrote:\n\u003e \n\u003e\u003e Looking at what I did for `XrdLcmaps`:\n\u003e\u003e - *space*-separated list of groups.\n\u003e\u003e - They should start with a slash; VOMS groups are hierarchical (i.e., `/atlas/foo/bar` is distinct from `/atlas/baz`) unlike\n\u003e Unix groups.\n\u003e\u003e\n\u003e\u003e One open question is how we should handle a proxy certificate with multiple VOMS extensions present - i.e., a proxy\n\u003e certificate with both ATLAS and CMS extensions. After all, it's perfectly acceptable for the CMS VOMS server to sign an\n\u003e extensions with FQAN `/atlas`. It's traditional that CMS group names are prefixed with `/cms`, but not enforced or validated by\n\u003e the client.\n\u003e\u003e\n\u003e\u003e --\n\u003e\u003e You are receiving this because you commented.\n\u003e\u003e Reply to this email directly or view it on GitHub:\n\u003e\u003e https://github.com/xrootd/xrootd/issues/566#issuecomment-323732506\n\u003e\u003e\n\u003e\u003e ########################################################################\n\u003e\u003e Use REPLY-ALL to reply to list\n\u003e\u003e\n\u003e\u003e To unsubscribe from the XROOTD-DEV list, click the following link:\n\u003e\u003e https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV\u0026A=1\n\u003e \n\u003e —\n\u003e You are receiving this because you were mentioned.\n\u003e Reply to this email directly, view it on GitHub \u003chttps://github.com/xrootd/xrootd/issues/566#issuecomment-323838017\u003e, or mute\n\u003e the thread \u003chttps://github.com/notifications/unsubscribe-auth/AFIaTwo5eEUSSlPBrtJwbPCOFLIQ-Ihxks5saeHsgaJpZM4O7mEG\u003e.\n\u003e \n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/566#issuecomment-326334551"}}}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
