NAME¶
lcmaps_voms_poolgroup.mod - LCMAPS plugin to switch user identity based on VOMS
credentials by pool groups
SYNOPSIS¶
lcmaps_voms_poolgroup.mod [
-groupmapfile groupmapfile]
[
-groupmapdir groupmapdir] [
--map-to-secondary-groups]
[
-override_inconsistency] [
-mapall] [
-mapmin number of
minimal mappings] [
-strict_poolprefix_match yes_or_no]
DESCRIPTION¶
This VOMS poolgroup acquisition plugin is a 'VOMS-aware' modification of the
lcmaps_poolgroup.mod.8 plugin. The plugin tries to find a local group
(more specifically a GroupID) based on the VOMS information that has available
from the LCMAPS, in particular the Fully Qualified Attribute Names (FQAN). The
group is acquired from an group pool. The groups in the group-pool must exist
on the system, either locally or through a centralized account database, e.g.
LDAP.
The
groupmapdir directory is going to be used as a persistent and open
mapping database. A pool is defined as being a set of groups following a
particular pattern in their naming, i.e. pool001 or atlas001. In the directory
the plug-in will make a new filename build-up VOMS FQAN in URL-encode form:
Example showing the output of ls -li:
1836080 -rw-r--r-- 2 root root %2fdteam%2f
1836080 -rw-r--r-- 2 root root dteam001
This filename is hardlinked to the mapped groupname. Creating this hardlink is
designed to be an atomic operation and verified to work on large installations
serving multiple services from one NFS-share.
The VOMS credentials need to be available from the LCMAPS framework.
OPTIONS¶
- -groupmapfile groupmapfile
- This option is used to determine the groupmapfile path. The plug-in will
open the file and use the content for the FQAN to Group ID mapping. The
same formatting rules of the grid-mapfile apply to the groupmapfile.
Provide a full path.
- -groupmapdir groupmapdir"
- A directory used for the group mapping database, similar to the
gridmapdir. It is important to not mix the gridmapdir and groupmapdir
directories.
- --map-to-secondary-groups
- When enabled, the plug-in will map all the FQANs of the user to secondary
Group IDs. There will be no primary Group ID set by this plug-in when
enabled.
- -override_inconsistency
- If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name,
and when the gridmapfile states that this user needs to move to another
pool, then the plug-in will remap the user to the new pool. Without this
option the plug-in will fail if an existing mapping for the user
credentials exist, but do not map the configured mapping pool.
- -mapall
- When enabled, a failure will be triggered if not all of the FQANs could be
mapped to primary or secondary Group IDs.
- -mapmin number of minimal mappings
- This option will set a minimum amount of groups that have to be resolved
for later mapping. If the minimum is not set then the minimum amount is
set to '0' by default. If the plugin is not able to the required number of
poolgroups it will fail. Note: if the minimum is set to zero or the
minimum is not set the plugin will return a success if no other errors
occur, even if no poolgroups were found.
- -strict_poolprefix_match yes/no
- If this is set to 'yes', a line in the groupmapfile like <FQAN>
.poolgr will result in groups matching the regexp poolgr[0-9]+.
Otherwise it will be allowed to match poolgr.* (legacy behaviour).
RETURN VALUES¶
- LCMAPS_MOD_SUCCESS
- Success.
- LCMAPS_MOD_FAIL
- Failure.
BUGS¶
Please report any errors to the Nikhef Grid Middleware Security Team
<grid-mw-security-support@nikhef.nl>.
SEE ALSO¶
lcmaps.db(5),
lcmaps(3).
AUTHORS¶
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team
<grid-mw-security@nikhef.nl>.