Add support for VOMS mapfile #1572
Conversation
|
Oh! I should mention that the configuration parameters are of the variety "last time set wins", making it easier for administrators to provide an override file. |
|
Addresses #1538 |
There was a problem hiding this comment.
Good start but there are various things that really need to be changed. I likely did not find all of them but that's what iteration is all about. I also look at this as a way to address another problem you raised is how do we make this consistent across all protocols and do not require each one to specify the same thing using a different directive.
|
@bbockelm Addressed your comments. I think we are converging. |
If there's an entry found in the corresponding grid-mapfile, then that is considered "more specific" and overrides the "less specific" voms-mapfile entry. E.g., a mapping to `bbockelm` should be picked over a generic `cms`. To differentiate between an explicit mapping and the fallbacks generated for the plugins, we use the entity's extended attribute mechanism.
Instead of doing the reload of the mapfile in-line, add a new maintenance thread that will periodically reload the mapfile (if and only if a change is detected in the modification time of the mapfile).
This moves the mapfile invocation from being a "wrapper" around the existing XrdVoms plugins to be a core part of the functionality. Note this also changes the failure semantics from "fail quietly" to "fail process startup if misconfigured."
|
@abh3 - I believe the latest refactor has addressed all your comments. |
src/XrdHttp/XrdHttpSecurity.cc
Outdated
| @@ -164,6 +165,7 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp) | |||
| TRACEI(DEBUG, " Mapping name: '" << SecEntity.moninfo << "' --> " << bufname); | |||
| if (SecEntity.name) free(SecEntity.name); | |||
| SecEntity.name = strdup(bufname); | |||
| SecEntity.eaAPI->Add("gridmap.name", bufname, true); | |||
There was a problem hiding this comment.
I see this consistently set but who is actually going to look at that? I thought the whole idea is that the entity.name would hold this value. So, I must be mistaken. Can you explain the reasoning here (I am sure it will be obvious once you do).
There was a problem hiding this comment.
It's not obvious!
It's a bit of a problem of order of precedence. For the final value of entity.name, want the following order:
- Explicit entries in the grid mapfile.
- Explicit entries in the VOMS mapfile
- Whatever the default behavior is for the GSI plugin as a whole (e.g., potentially an auto-generated name).
Unfortunately, the naive solution results in an ordering of (1), (3), then (2). Thus, we add any explicit usage of the grid mapfile to the entity so we can distinguish a positive entry from a default fallback.
There was a problem hiding this comment.
I'm sure you looked at it until you fell asleep. Nonetheless, is there any way to fix this (i.e. adhere to the wanted order)? Now, let me understand this. The order basically says if the gridmap file has a map in it use it, if not use he one in the VOMS mapfile, and if it doesn't exists use the default. If that is the logic then swapping 2 and 3 should not make a difference because the default would be replaced by the VOMS mapping is it exists or the default would be kept. In the end, the same result. Now, please tell me it's not the way it works :-)
There was a problem hiding this comment.
The VOMS plugin runs after the GSI authentication logic; the GSI authentication logic that generates the entity.name may be based on the mapfile or the default logic. What's added here allows one to differentiate those two cases.
We need to know the difference between the default and explicit mapping because, in one case (the default), the VOMS mapfile overrides the entity.name value. In the other case, the VOMS mapfile should keep the entity.name untouched.
There was a problem hiding this comment.
OK, I now get it. However, couldn't we accomplish the same thing with a one bit flags to indicate the type of ID in the the name. Then Voms could do the right thing. That would be more straightforward than recording the full name as it looks like it going to be used for some other purpose that a simple "type" check. BTW we do have bit in the secentity structure. What do you think?
src/XrdHttp/XrdHttpSecurity.cc
Outdated
| @@ -164,6 +165,7 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp) | |||
| TRACEI(DEBUG, " Mapping name: '" << SecEntity.moninfo << "' --> " << bufname); | |||
| if (SecEntity.name) free(SecEntity.name); | |||
| SecEntity.name = strdup(bufname); | |||
| SecEntity.eaAPI->Add("gridmap.name", bufname, true); | |||
There was a problem hiding this comment.
I'm sure you looked at it until you fell asleep. Nonetheless, is there any way to fix this (i.e. adhere to the wanted order)? Now, let me understand this. The order basically says if the gridmap file has a map in it use it, if not use he one in the VOMS mapfile, and if it doesn't exists use the default. If that is the logic then swapping 2 and 3 should not make a difference because the default would be replaced by the VOMS mapping is it exists or the default would be kept. In the end, the same result. Now, please tell me it's not the way it works :-)
Reduces some of the logical complexity; prevents log files filling up quicker on failure.
Decision was that this would be sufficiently infrequently used that we can just let the OS cleanup the maintenance thread.
|
Ok, I think I addressed the two items! Assuming that my comment about the order-of-logic between the GSI & VOMS plugins makes sense, i think it's ready to go. |
|
@abh3 - quick ping on this for next week. I think all is ready (or, at least, ready for the next round of input!). |
src/XrdHttp/XrdHttpSecurity.cc
Outdated
| @@ -164,6 +165,7 @@ XrdHttpProtocol::HandleGridMap(XrdLink* lp) | |||
| TRACEI(DEBUG, " Mapping name: '" << SecEntity.moninfo << "' --> " << bufname); | |||
| if (SecEntity.name) free(SecEntity.name); | |||
| SecEntity.name = strdup(bufname); | |||
| SecEntity.eaAPI->Add("gridmap.name", bufname, true); | |||
There was a problem hiding this comment.
OK, I now get it. However, couldn't we accomplish the same thing with a one bit flags to indicate the type of ID in the the name. Then Voms could do the right thing. That would be more straightforward than recording the full name as it looks like it going to be used for some other purpose that a simple "type" check. BTW we do have bit in the secentity structure. What do you think?
There was a problem hiding this comment.
Missed handling when to reprocess the map file. I think we only need a comment to explain why ctime is used on not mtime.
OK, one final comment on how to make the code less obtuse when it comes to deciding on how to handle the name filed. I'd like your comments. Everything else looks fine.
detecting file changes.
|
Thanks for adding the comment. Now, what about using a type flag for the name instead of recording the actual name? I propose this because it would be very apparent what is being done here in terms of ordering the name mapping by using a type flag. |
…this is also in the Entity name).
|
@abh3 - I think I have the last two items cleaned up. We now return nullptr where necessary and switch to recording a single bit (as |
|
Thank you Brian. |
Add a mapfile for VOMS FQANs. This allows the VOMS plugin to map the contents of the VOMS extension to a name in the
XrdSecentity.This adds two new configuration parameters,
voms.mapfileandvoms.trace. Here's an example invocation:Where the mapfile is in the format used by XrdLcmaps:
At the
debuglevel, things are pretty chatty - including dumping each line during parsing and each mapping invocation.The mapfile is re-parsed every 30 seconds.