 |
 |
Hi Oliver, Indeed, I see your point. However, I don't think the current voms arranges attributes as tuples. As far as I can tell, it picks the last (or first, depending on an option) identity attribute and sets the various fields in the security entity tructure. Here, then, everything will be a singleton with the eception of groups (though that's usually a singleton as well). So, are you proposing to chnage the VOMSFun to supply at attribute list of n-tuples? Are we actually structuring attributes that way with out certs today? Of course, if that's the diretion we want to go in, wouldn't it be better to simply switch to the WLCG identity tokens? Andy On Wed, 19 Jun 2019, Oliver Freyermuth wrote: > Hi Andy, > > I understand. My goal would be to support exactly the example stated in the documentation: > ``` > = atlprod o: atlas g: /atlas r: production > ``` > Seeing how vomxsrd seems to work, to do that, the triplets would have to be checked (i.e. not multi-valued fields, but a series of triplets). > > A real life example which should work (as you can see from the first post in this issue) would be: > ``` > secgsiVOMS_Fun: ---> group: '/atlas', role: 'production', cap: 'NULL' > secgsiVOMS_Fun: ---> group: '/atlas', role: 'NULL', cap: 'NULL' > secgsiVOMS_Fun: ---> group: '/atlas/lcg1', role: 'NULL', cap: 'NULL' > secgsiVOMS_Fun: ---> group: '/atlas/usatlas', role: 'NULL', cap: 'NULL' > ``` > This would result (if I parse the vomsxrd code correctly) in: > vo: `atlas atlas atlas atlas` > group: `/atlas /atlas /atlas/lcg1 /atlas/usatlas` > role: `producton NULL NULL NULL` > So for correct behaviour, the authorization code would have to go through these triplets in order - in other words, it is important that the `production` role belongs to group `/atlas` and VO `atlas`, and not to any of the other groups. > > A real life example which is broken right now (I think) is: > ``` > attribute : /atlas/de/Role=production/Capability=NULL > attribute : /atlas/de/Role=NULL/Capability=NULL > attribute : /atlas/Role=NULL/Capability=NULL > ``` > This proxy must _not_ match: > ``` > = atlprod o: atlas g: /atlas r: production > ``` > since it only has the `production` role for the "smaller" subgroup `/atlas/de`, but not for full `/atlas`. > > Cheers, > Oliver > > -- > You are receiving this because you commented. > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1006#issuecomment-503743549 -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1006#issuecomment-503751150 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1