Before I reopen this issue or create a new one, I wanted to confirm the expected behaviour (in 5.3).
When facing with the same set of roles & groups
sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL"
I can see the mapping
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=production/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/ALARM', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/ALARM/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/GGUSExpert', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/GGUSExpert/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/Role=NULL/Capability=NULL'
211206 11:13:25 237 XrdVomsFun: ---> group: '/cms/TEAM', role: 'NULL', cap: 'NULL'
211206 11:13:25 237 XrdVomsFun: ---> fqan: '/cms/TEAM/Role=NULL/Capability=NULL'
from the code, it looks like for grpopt=useall
it would just add things up separated by ,
.
But from the Authfile side it looks like /cms/Role=production/Capability=NULL
is overwritten by /cms/Role=NULL/Capability=NULL
.
Is this the expected behaviour of useall
(NULL
overwriting production
role)?
xrootd.x86_64 1:5.3.2-1.el7 @epel
xrootd-client.x86_64 1:5.3.2-1.el7 @epel
xrootd-client-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-scitokens.x86_64 1:5.3.2-1.el7 @epel
xrootd-selinux.noarch 1:5.3.2-1.el7 @epel
xrootd-server.x86_64 1:5.3.2-1.el7 @epel
xrootd-server-libs.x86_64 1:5.3.2-1.el7 @epel
xrootd-voms.x86_64 1:5.3.2-1.el7 @epel
#
# Configure HTTPS access and security
#
http.cadir /etc/grid-security/certificates
http.desthttps yes
if exec xrootd
http.cert /etc/grid-security/xrd/hostcert.pem
http.key /etc/grid-security/xrd/hostkey.pem
http.listingdeny yes
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
xrd.protocol http:$(httpsPort) /usr/lib64/libXrdHttp.so
http.selfhttps2http yes
# Enable third-party-copy
http.exthandler xrdtpc libXrdHttpTPC.so
# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz
fi
http.secxtractor /usr/lib64/libXrdVoms.so certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
http.selfhttps2http no
http.tlsreuse on
#
# Configure XRootD security
#
xrootd.seclib libXrdSec.so
sec.protocol /usr/lib64 gsi \
-dlgpxy:1 \
-exppxy:=creds \
-ca:1 \
-crl:3 \
-cert:/etc/grid-security/xrd/hostcert.pem \
-key:/etc/grid-security/xrd/hostkey.pem \
-certdir:/etc/grid-security/certificates \
-vomsfun:/usr/lib64/libXrdVoms.so \
-vomsfunparms:certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem
xrd.tlsca certdir /etc/grid-security/certificates
acc.audit deny grant
acc.authdb /etc/xrootd/Authfile
acc.authrefresh 60
ofs.authorize 1
macaroons.secretkey /etc/xrootd/macaroon-secret
http.exthandler xrdmacaroons libXrdMacaroons.so
# Enable Macroons- and SciTokens-based mappings; if no token is present, then the GSI certificate will be used.
# this line breaks GSI auth
# ofs.authlib libXrdMacaroons.so libXrdAccSciTokens.so
# but this works (thanks to James Walder, Lancaster University)
ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1