Before I reopen this issue or create a new one, I wanted to confirm the expected behaviour (in 5.3).
When facing with the same set of roles & groups
```
sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL"
```
I can see the mapping
```
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=production/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/ALARM', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/ALARM/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/GGUSExpert', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/GGUSExpert/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/TEAM', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/TEAM/Role=NULL/Capability=NULL'
```
from the code, it looks like for `grpopt=useall` it would just add things up separated by `,`.
But from the Authfile side it looks like `/cms/Role=production/Capability=NULL` is overwritten by `/cms/Role=NULL/Capability=NULL`.
Is this the expected behaviour of `useall` (`NULL` overwriting `production` role)?
## RPMs
```bash
xrootd.x86_64 1:5.3.2-1.el7 @epel
xrootd-client.x86_64 1:5.3.2-1.el7 @epel
xrootd-client-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-scitokens.x86_64 1:5.3.2-1.el7 @epel
xrootd-selinux.noarch 1:5.3.2-1.el7 @epel
xrootd-server.x86_64 1:5.3.2-1.el7 @epel
xrootd-server-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-voms.x86_64 1:5.3.2-1.el7 @epel
```
## config
```
#
# Configure HTTPS access and security
#
http.cadir /etc/grid-security/certificates
http.desthttps yes
if exec xrootd
http.cert /etc/grid-security/xrd/hostcert.pem
http.key /etc/grid-security/xrd/hostkey.pem
http.listingdeny yes
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
xrd.protocol http:$(httpsPort) /usr/lib64/libXrdHttp.so
http.selfhttps2http yes
# Enable third-party-copy
http.exthandler xrdtpc libXrdHttpTPC.so
# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz
fi
http.secxtractor /usr/lib64/libXrdVoms.so certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
http.selfhttps2http no
http.tlsreuse on
#
# Configure XRootD security
#
xrootd.seclib libXrdSec.so
sec.protocol /usr/lib64 gsi \
-dlgpxy:1 \
-exppxy:=creds \
-ca:1 \
-crl:3 \
-cert:/etc/grid-security/xrd/hostcert.pem \
-key:/etc/grid-security/xrd/hostkey.pem \
-certdir:/etc/grid-security/certificates \
-vomsfun:/usr/lib64/libXrdVoms.so \
-vomsfunparms:certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
acc.audit deny grant
acc.authdb /etc/xrootd/Authfile
acc.authrefresh 60
ofs.authorize 1
macaroons.secretkey /etc/xrootd/macaroon-secret
http.exthandler xrdmacaroons libXrdMacaroons.so
# Enable Macroons- and SciTokens-based mappings; if no token is present, then the GSI certificate will be used.
# this line breaks GSI auth
# ofs.authlib libXrdMacaroons.so libXrdAccSciTokens.so
# but this works (thanks to James Walder, Lancaster University)
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1369#issuecomment-986689638
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
