-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mapfile support for XrdVoms #1538
Comments
@vokac mentioned this morning that VOMS mapfiles are something that they'll want for StoRM as well |
Indeed, the more we delve into this the more is seems we really need a discussion. How about using part of the XCache meeting for this as the principals here attend the meeting as well. Brian, Matyas can either of you to set something up |
Isn't this already supported? I thought that RAL ECHO uses gridmap. Should we check with James Walder? |
It is in GSI but not for http.
…On Mon, 25 Oct 2021, Wei Yang wrote:
Isn't this already supported? I thought that RAL ECHO uses gridmap. Should we check with James Walder?
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1538 (comment)
|
I was trying to explain why we like different unix accounts for production vs. analysis jobs (StoRM GPFS filesystem can be mounted rw locally on WN) => that's why we need special mapping of tokens to different unix accounts in HTCondor-CE. I have to admit it is not completely clear to me how this relates to XrdVoms module ... besides that XRootD may use same mapping library. |
Ah, that makes sense. Nevermind then! |
To return to the original topic -- my line of logic on this is:
Don't think this is a "xrootd protocol versus HTTP protocol" question: we should strive to make those behave similarly. |
Hmm, Brian Lin was talking about VOMS mapfile. I thought he was talking about gridmapfile... Then this is a question of whether we want two different kinds of authorization "DB". |
I think two types of authentications is reasonable as we have two types of authentication mechanisms (GSI and VOMS). I don't view these as authorization DBs as they simply populate fields in the XrdSecEntity and don't make authorization decisions. One interesting question is precedence: currently, GSI and VOMS fill in mutually-exclusive fields in the XrdSecEntity for making authorization decisions. If both could fill in the It is possible (and not entirely irrational) to have a unified mapfile which has both VOMS FQAN and GSI DN's intermixed. That is more flexible than independent mechanisms but I can see the possibility for confusion. |
You are right, I wasn't thinking straight. mapfiles (GSI or VOMS) aren't auth DB. The thing I like about the current auth DB is that, for VOMS, it is a single place to config. I don't have to worry about coordinating VOMS mapfile and auth DB (though we can't do the same for GSI). The thing I don't like is that the concept of "compound ID" in auth DB is a bit hard to understand and remember. |
Hey Wei, I think the VOMS mapfile tackles the case where there's an underlying storage system that really needs a "user name" that can't be derived algorithmically via the FQAN. Examples I know about are EOS and xrootd-multiuser (the former does the "VOMS mapfile" by converting a VOMS FQAN to a long list of DNs and maps those to a single username... that kinda works but is problematic for other reasons). Brian |
Brian kindly provided a patch for this, so I am closing this ticket. This should appear in 5.5.0. |
We'd like to be able to create a mapfile for voms authentication such that we can choose the mappings between FQANs and Unix users; this is needed for multiuser to work. VOMS mapfiles are made of lines like
where USERNAME is a Unix user and FQAN-PATTERN is a glob.
For GSI, mapfile support is built in, but we've been told it's better to write a post-auth plugin for VOMS instead.
The text was updated successfully, but these errors were encountered: