dcache icon indicating copy to clipboard operation
dcache copied to clipboard
verified publisher icon dCache

`multimap`/`omnisession`: please add a `dn-only-no-fqan` predicate

Open calestyo opened this issue 4 months ago • 0 comments

Hey.

I think many VOs (at least ALTAS and BELLE) use typically a scheme, where the DN is basically ignored (other than it has to be a trusted cert) and the FQAN decides both, UID and GID.

In such a setup, it would be nice if one could define mappings that only work when no FQAN is present, so that if the user comes a long with his VOMS extensions, he gets the UID/GID for that but if not, he gets e.g. some local UID.

like in (with whichever DN):

fqan:/atlas,true                                username:atlas uid:...

and in (with no FQAN):

dn:"/C=DE/O=GridGermany/OU=Ludwig-Maximilians-Universitaet Muenchen/OU=Faculty of Physics/CN=Christoph Anton Mitterer"  username:calestyo uid:...

The above however doesn't work, at least not within one mutlimap mapping phase and config file, because it would accumulate the usernames, uids and gids, which in turn would result in an error because of multiple UIDs (and possibly because of multiple primary GIDs, too).

With the current functionality there's only some hacky workaround, namely using two multimap mapping phases with different map files:

A gplazma.conf like:

auth    optional        x509
auth    optional        voms
auth    optional        oidc
map     sufficient      multimap
map     sufficient      multimap        gplazma.multimap.file=/etc/dcache/access-control/multi-mapfile2
session requisite       omnisession

btw: It seems nowhere to be documented which key=value pairs are accepted in the 4th column... some examples seem to indicate it may be dcache.conf options (which works here for multimap) but some example in the docs seem to indicate it's other option names:

map     requisite authzdb authzdb=/etc/grid-security/authzdb

(or maybe the example is buggy).

A "normal2" multimap config (gplazma.multimap.file=/etc/dcache/access-control/multi-mapfile) like so:

fqan:/atlas,true                                username:atlas                  uid:11000       gid:11000,true
fqan:/atlas/Role=pilot,true                     username:atlas                  uid:11000       gid:11000,true
fqan:/atlas/Role=production,true                username:atlas-production       uid:11001       gid:11000,true

and a special one for the 2nd phase (gplazma.multimap.file=/etc/dcache/access-control/multi-mapfile2) like so:

dn:"/C=DE/O=GridGermany/OU=Ludwig-Maximilians-Universitaet Muenchen/OU=Faculty of Physics/CN=Christoph Anton Mitterer"  username:calestyo uid:...

(with no fqan: mappings in it).
Haven't tested it yet in full details, but seems to work.

Now it would be nice if this could be done in one phase/file.
Not sure how this could be done generically,... because that likely would require breaking the file format.

Ideally one would be able to say:

predicate1 predicate2 -> predicateA predicateB

i.e. more than one predicates (and also more than just 2) on the left hand side.

Perhaps you could make it backwards compatible by adding new operators & and | (and/or):

predicate1 & predicate2 -> predicateA predicateB
predicate1 | predicate2 -> predicateA predicateB

and maybe also ( and ).

Now for the above (making sure no fqan is present) one need of course more syntactical means, e.g. something like;

dn:"Meeesa Jar Jar Binks" & !fqan uid:1000 gid:2000

Cheers, Chris.

calestyo avatar Sep 01 '25 15:09 calestyo