 |
 |
I've redone the pull request in #1238. The VOMS attributes and the gridmap file are both optional configuration functionalities that don't necessarily increase the security but enforce a certain policy. Having any or both of them fail does not mean authentication was not performed or that the security was more relaxed - we do have a certificate for the user that we verified so this should already be good enough from the security point of view. The libXrdVoms.so plugin does what it should, namely saying there are no VOMS attributes to be extracted from a non-voms certificate. The XrdHttpProtocol was here at fault since it was denying access if the VOMS extractor returned an error - at the same time the libXrdHttpVOMS library was just faking an ok response when there were no VOMS attributes and this is why all this was working. I've fixed this in the XrdHttpProtocol so that an error response from the VOMS extractor is treated properly i.e. should not deny access for that request. Now all this work fine and with all types of certificates with the exception when access is done using a token. I mentioned this in the PR: https://github.com/xrootd/xrootd/pull/1238#issuecomment-653085407 My patch does not change the behavior that exists in all current XRootD releases. If we want to allow this or not, whether it is good practice or not, I guess should be topic of a different discussion. PR #1238 allows proper handling of certificates, proxy certs and multi-delegated proxies in the context of gridmap files. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1236#issuecomment-653554322 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1