dcache
dcache copied to clipboard
dCache
Admin role not found in the REST API
I would like to access the REST API with an admin role, but I can't get it working.
In the gplazma service I have configured:
gplazma.roles.admin-gid=666
gplazma.roles.observer-gid=667
In the LDAP have I have created a group 666 and added the s_jenla user.
# ldapsearch -x -LLL '(cn=dcacheadmin)'
dn: gidNumber=666,ou=Groups,dc=swestore-ldap
objectClass: Swestore
objectClass: posixGroup
cn: dcacheadmin
gidNumber: 666
memberUid: s_jenla
In gplazma.conf I have:
auth optional x509
auth optional voms
auth optional jaas gplazma.jaas.name=Krb5Gplazma
map optional krb5
map optional vorolemap
map optional gridmap gplazma.gridmap.file=/etc/grid-security/grid-mapfile-supr
map optional gridmap gplazma.gridmap.file=/etc/grid-security/grid-mapfile-static
map sufficient authzdb gplazma.authzdb.uid=uid,login,group,user
map requisite ldap
session optional roles
session optional authzdb
session requisite ldap
identity sufficient ldap
Then I run test login in the dCache CLI in the gPlazma cell:
[draal] (gPlazma@gPlazma-draalDomain) admin > test login kerberos:[email protected]
Login[s_jenla,31024:[31024, 31024, 7737, 666, 39516],[PrefixRestrict[prefixes={/pnfs/swegrid.se/data,/pnfs/swegrid.se/data/upload}], UnassertedRole[admin], RootDirectory[/pnfs/swegrid.se/data], HomeDirectory[/]]]
I can see that the user has the 666 group and it also have the "UnassertedRole[admin]" which is promising. gPlazma seems to be aware of the role!
On the other hand, explain login username:s_jenla does not show me any role. So I don't know.
When I check with the API:
curl -k -s -u s_jenla -H 'Content-Type: application/json' -X GET "https://webdav.swestore.se:3880/api/v1/user" | jq
{
"status": "AUTHENTICATED",
"uid": 31024,
"gids": [
31024,
31024,
7737,
666,
39516
],
"username": "s_jenla",
"homeDirectory": "/",
"rootDirectory": "/pnfs/swegrid.se/data"
}
The group is there, but no roles, and no unassertedRoles. I was expecting something like this:
"roles": [
"string"
],
"unassertedRoles": [
"string"
],
Same when I check in Swagger and in dcache-view (logging in with username and password). So somewhere along the line the role is lost and I cannot figure out where. Do you have this working?
dCache 10.2, Java 17
/jens
Hi Jens,
I had the same problem and finally assigned the role admin through the multimap plugin
See below and example on how I've defined it:
username:eplanas uid:63196 gid:50041,true gid:50024 gid:57064 gid:57063 gid:1401 gid:1402 roles:admin,qos-user,qos-group
Hope it helps. Elena
On gplazma I've this entry:
map sufficient multimap gplazma.multimap.file=/etc/dcache/multimap-username-to-uid+gid.conf
@nsc-jens Thanks for reporting. I can confirm that functionality is broken. We have identified the issue and will hopefully release a fix shortly.
Thank you! I see the issue is fixed. Super speed!
Meanwhile I implemented the fix from @elenamplanas as:
multi-mapfile:
username:s_jenla roles:admin
gplazma.conf:
map optional multimap
This worked and is in the end perhaps a cleaner solution for what we wanted to achieve. But the software should of course behave as documented and expected.