Before I reopen this issue or create a new one, I wanted to confirm the expected behaviour (in 5.3). When facing with the same set of roles & groups ``` sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL" ``` I can see the mapping ``` 211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=production/Capability=NULL' 211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/ALARM', role: 'NULL', cap: 'NULL' 211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/ALARM/Role=NULL/Capability=NULL' 211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/GGUSExpert', role: 'NULL', cap: 'NULL' 211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/GGUSExpert/Role=NULL/Capability=NULL' 211206 11:13:25 237 XrdVomsFun: ---> group: '/cms', role: 'NULL', cap: 'NULL' 211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=NULL/Capability=NULL' 211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/TEAM', role: 'NULL', cap: 'NULL' 211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/TEAM/Role=NULL/Capability=NULL' ``` from the code, it looks like for `grpopt=useall` it would just add things up separated by `,`. But from the Authfile side it looks like `/cms/Role=production/Capability=NULL` is overwritten by `/cms/Role=NULL/Capability=NULL`. Is this the expected behaviour of `useall` (`NULL` overwriting `production` role)? ## RPMs ```bash xrootd.x86_64 1:5.3.2-1.el7 @epel xrootd-client.x86_64 1:5.3.2-1.el7 @epel xrootd-client-libs.x86_64 1:5.3.2-1.el7 @epel xrootd-libs.x86_64 1:5.3.2-1.el7 @epel xrootd-scitokens.x86_64 1:5.3.2-1.el7 @epel xrootd-selinux.noarch 1:5.3.2-1.el7 @epel xrootd-server.x86_64 1:5.3.2-1.el7 @epel xrootd-server-libs.x86_64 1:5.3.2-1.el7 @epel xrootd-voms.x86_64 1:5.3.2-1.el7 @epel ``` ## config ``` # # Configure HTTPS access and security # http.cadir /etc/grid-security/certificates http.desthttps yes if exec xrootd http.cert /etc/grid-security/xrd/hostcert.pem http.key /etc/grid-security/xrd/hostkey.pem http.listingdeny yes http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt xrd.protocol http:$(httpsPort) /usr/lib64/libXrdHttp.so http.selfhttps2http yes # Enable third-party-copy http.exthandler xrdtpc libXrdHttpTPC.so # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz fi http.secxtractor /usr/lib64/libXrdVoms.so certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg http.selfhttps2http no http.tlsreuse on # # Configure XRootD security # xrootd.seclib libXrdSec.so sec.protocol /usr/lib64 gsi \ -dlgpxy:1 \ -exppxy:=creds \ -ca:1 \ -crl:3 \ -cert:/etc/grid-security/xrd/hostcert.pem \ -key:/etc/grid-security/xrd/hostkey.pem \ -certdir:/etc/grid-security/certificates \ -vomsfun:/usr/lib64/libXrdVoms.so \ -vomsfunparms:certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem xrd.tlsca certdir /etc/grid-security/certificates acc.audit deny grant acc.authdb /etc/xrootd/Authfile acc.authrefresh 60 ofs.authorize 1 macaroons.secretkey /etc/xrootd/macaroon-secret http.exthandler xrdmacaroons libXrdMacaroons.so # Enable Macroons- and SciTokens-based mappings; if no token is present, then the GSI certificate will be used. # this line breaks GSI auth # ofs.authlib libXrdMacaroons.so libXrdAccSciTokens.so # but this works (thanks to James Walder, Lancaster University) ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg ofs.authlib ++ libXrdMacaroons.so ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1369#issuecomment-986689638 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1