![]() |
XRootD
|
The VOMS plugin can now populate the XRootD session's name
attribute from a mapping file (the "voms-mapfile"). Filesystems which rely on the username in addition to the XRootD authorization can utilize this name to make authorization and file ownership decisions.
Note the plugins have the following precedence for the name
attribute:
Administrators may desire to disable the auto-generated name as it likely does not match any Unix username on the system.
There are two configuration options that control the plugin:
Enables the mapping functionality and uses the file at FILENAME as the voms-mapfile. The mapfile is reloaded every 30 seconds; the daemon does not need to be restarted to pick up changes.
Enable debugging of the VOMS mapfile logic. Options are additive and multiple can be given.
The file format ignores empty lines; a line beginning with the hash (#
) are considered comments and ignored.
Otherwise, each line specifies a mapping from an expression to a Unix username in the following form:
If the session has a VOMS FQAN matching EXPRESSION then the session's name will be set to USERNAME.
Examples of the EXPRESSION include:
Expressions may also have wildcards (*
) present. The wildcard can serve as two roles:
/*
, then any remaining portion of the attribute is matched. For example, /cms/*
matches /cms/Role=NULL/Capability=NULL
and /cms/uscms/Role=pilot/Capability=NULL
./fermilab/*/Role=pilot/Capability=NULL
matches both /fermilab/dune/Role=pilot/Capability=NULL
and /fermilab/des/Role=pilot/Capability=NULL
but not /fermilab/Role=pilot/Capability=NULL
.Several escape sequences are supported within the expression:
: a single quote character (
'). -
"`: a double quote character (`"). -
\`: a backwards slash (\
).\/
: a forward slash that is not a path separator (/
)\f
: a formfeed\n
: a newline\r
: a carriage return\t
: a tab character.The use of these escape sequences are discouraged as it's unclear whether other software is able to safely handle them. Unicode and extended 8-bit ASCII are not supported at this time.
Note, as is tradition, the name of the VO in the VOMS FQAN must match the first group name. That is, if the cms
VO issues a FQAN of the form /atlas/Role=pilot/Capability=NULL
then the FQAN is ignored.