Print

---

The GSI security protocol defaults to the "trymap" logic which, according to documentation, is "try to map the DN but if unsuccessful use the hash of the client’s DN as the user identifier (username)". With this change, the XrdHttpSecurity interface will follow the same logic.

Since some sites may have special setups which rely on the old mechanism, one can get the old behavior by setting the optional new compatNameGeneration configuration in the http.gridmap setting. For example:

http.gridmap compatNameGeneration /etc/xrootd/grid-mapfile

Would restore the old behavior.

With this change, a user can effectively match the nomap, trymap, and usemap settings between the XRootD and HTTP protocols and the two protocols have the same default. Without the change, only the usemap setting could be matched with HTTP. Having the defaults the same greatly decreases the "surprise" factor of using both protocols; the prior HTTP default of guessing a name from the DN is undocumented.

VOMS-based mappings (and mapfile) behavior is unaffected.

@olifre - you have one of the more complex security configs that I could think of. Would you be unaffected by this change?

You can view, comment on, or merge this pull request online at:

  https://github.com/xrootd/xrootd/pull/1640

Commit Summary

• ec0754f Have the XrdHttp extraction logic match GSI.

File Changes

(3 files)

• M src/XrdHttp/XrdHttpProtocol.cc (16)
• M src/XrdHttp/XrdHttpProtocol.hh (7)
• M src/XrdHttp/XrdHttpSecurity.cc (19)

Patch Links:

• https://github.com/xrootd/xrootd/pull/1640.patch
• https://github.com/xrootd/xrootd/pull/1640.diff

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/pull/1640@github.com>

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1