X509 authentication plugin incorrect behavior when proxy includes a role

[glpatcern]

Following a user report, we have found that when a user accesses xroot via a VOMS proxy certificate that includes a VOMS role, the X509 plugin seems to require that a mapping be defined on the server side for that role.
Failure to provide a mapping results in the plugin to map the user to a default uid = 99 (i.e. 'nobody'), as can be seen in this log excerpt:

160115 13:19:48 time=1452860388.430486 func=GetIdMapping             level=WARN  logid=1267d8fe-bb7a-11e5-a0f5-c860001bd8b2 unit=rdr@c2public-1.cern.ch:1094 tid=139751941015296 source=XrdxCastor2Fs:1841  tid
ent=dirac.31411:74@voilcdiractest04 msg="no passwd struct found for role=dirac"
160115 13:19:48 time=1452860388.430564 func=GetIdMapping             level=DEBUG logid=1267d8fe-bb7a-11e5-a0f5-c860001bd8b2 unit=rdr@c2public-1.cern.ch:1094 tid=139751941015296 source=XrdxCastor2Fs:1846  tid
ent=dirac.31411:74@voilcdiractest04 msg="role=dirac -> uid/gid=99/99"

Shouldn't the appropriate behavior instead be to ignore the role and map the user according to the loaded gridmap file? Can you please check the code?

[bbockelm]

Hi Giuseppe,

Looking at this snippet:

source=XrdxCastor2Fs:1846

it appears the error is coming from one of the CERN-specific plugins (not maintained by the Xrootd team). Sorry, I don't think this project would be able to help.

Brian

[glpatcern]

Hi Brian,

Yes, sorry for the noise - we really believed it came from the core xrootd but no we can deal with it ourselves within CASTOR. Closing.

[bbockelm]

Sure, no problem - I just had been working on this very piece of code, so I definitely would have recognized the error message :)