1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
Version 1.7.1:
- When retrieving the user_dn and FQANs, first check the data registered by
other plugins before trying the introspect/run arguments.
- gridmapdir code: test whether we can write the source for the hardlink before
actually linking: otherwise we cannot touch it afterwards using utime().
- Fix realloc handling
Version 1.7.0:
- Move to new lcmaps-gridmapfile and lcmaps-gridmapdir functions, syncing code
with the lcmaps-plugins-robot code-base. These new functions are a major
rework of the original ancient and buggy lcmaps-gridlist codebase. Among other
things it fixes a number of grid-mapfile parsing problems and problems when
using a default grid-mapfile.
- Extensive cleanup and synchronization of different banning and mapping plugins
ban_fqan, voms_localaccount, voms_poolaccount, voms_localgroup and
voms_poolgroup.
- Synchronize and improve GID mapping options between localaccount and
poolaccount plugins. We have two 'global' options to set the default:
--use-voms-gid and --use-account-gid (new option). The former
instructs the plugin not to use the pGID/sGID information of the mapped
account by default, the latter does the opposite. The actual behaviour can
be tuned using the other flags, for the pGID:
--do-not-add-primary-gid-from-mapped-account,
--add-primary-gid-from-mapped-account,
--add-primary-gid-as-secondary-gid-from-mapped
where the latter two can be combined with eachother. For the sGIDs:
--do-not-add-secondary-gids-from-mapped-account (new option)
--add-secondary-gids-from-mapped-account
The only difference between the voms_localaccount and voms_poolaccount
plugins is the default: voms_localaccount has --use-account-gid as default,
voms_poolaccount has --use-voms-gid as default.
- Replace lcmaps_voms plugin with empty plugin logging that it has been
deprecated: All functionality has long been integrated with LCMAPS itself so
it can safely been removed from any policy. This also removes all dependencies
on VOMS and Globus libraries.
Version 1.6.4:
- Add clarification in man-page about lcmaps_voms_poolgroup.
- Minor bugfix for compiler warnings and fix for Solaris
Version 1.6.3:
- Minor bugfixes and cleanup
Version 1.6.2:
- Fix bug in ban_fqan when a voms-less proxy is used: ban_fqan should succeed.
Version 1.6.1:
- Fix bug in voms_poolaccount when requested username is unset
- Fix missing #include of dlfcn.h for voms_poolaccount
Version 1.6.0:
- When LCMAPS has version 1.6.0 or higher, the voms_localaccount and
voms_poolaccount plugins will try to obtain a "requested_username" from the
framework.
When set:
* for the voms_localaccount it needs to match one of the target useraccounts
for the FQANs in the grid-mapfile. This enables support for mapping to
e.g. user2 in an entry such as
"/FQAN" user1,user2
* for the voms_poolaccount it needs to match the resulting poolaccount.
Version 1.5.5:
- Adding a deprecation notice about the LCMAPS VOMS Extract plugin
Version 1.5.4:
- New plugin: lcmaps_ban_fqan to ban a user based on the presence of any of
its FQANs in a local database file.
Version 1.5.3:
- Added manpages for the lcmaps_voms, lcmaps_voms_localaccount,
lcmaps_voms_poolaccount, lcmaps_voms_poolgroup and lcmaps_localgroup
plug-ins.
- Fix an 'invalid read' in valgrind (seems a bug in the gnu implementation of
strspn())
Version 1.5.2:
- Fixed a bug when the option -do_not_use_secondary_gids is set and no other
is set. This was discovered during an upgrade on a CREAM CE by Massimo
Sgaravatto.. The check was intented to cast an error when mutually
exclusive settings where configured. In this case the settings were not
mutually exclusive and falsely failed the initialization of the plug-in.
The check has been removed.
Version 1.5.1:
- Removed the gss_cred_id_t to X.509 conversion. The LCMAPS framework
reliably takes care of this and taking the X.509 as a base (exclusive for
the lcmaps_voms.mod, not the mapping plug-ins).
Version 1.5.0:
- Changing the log messages to match the logging method used in LCMAPS version
1.5.0, which will be using the Syslog native log priority/levels.
- Added an initialization check to the voms localaccount plugin. The
grid-mapfile must be stat()-able, otherwise trigger an initialization
failure. Previously a run-time error would have been triggered.
- Added initialization checks to the voms poolgroup plugin. The groupmapfile
and groupmapdir stat()-able, otherwise trigger an initialization failure.
Previously a run-time error would have been triggered.
- A new option to the plugins "voms_localgroup" and "voms_poolgroup":
--map-to-secondary-groups:
When set all the VOMS FQAN to Unix Group ID mappings will be
stored as secondary Unix group IDs. By default the first mapping
will be stored as a primary Unix Group ID
- A new option to the plugins "voms_localaccount" and "voms_poolaccount":
--add-primary-gid-from-mapped-account
When set the primary Unix ID will come from the mapped local/pool
account based on 'passwd' information on the account.
--do-not-add-primary-gid-from-mapped-account
When set the primary Unix ID will NOT come from the account and is
expected to be set by another plug-in prior. The voms_poolaccount
plug-in expects (by default) a primary Unix group id to be
provided. The voms_localaccount could function without the primary
Unix group id set. It is thereby advised to run a plug-in that will
provided this information prior to these two plug-ins.
Note for the voms_localaccount::
This feature is equivalent to setting -use_voms_gid or
--use-voms-gid
--add-secondary-gids-from-mapped-account:
When set the secondary Unix group IDs of the mapped account are
added as mapped secondary Unix group ID results
--add-primary-gid-as-secondary-gid-from-mapped-account
The mapped pool/local account is looked up for its 'passwd'
information and the associated primary Unix group ID is added to
the mapping result as a secondary Unix group ID.
The following combination of options is mutually exclusive:
--do-not-map-primary-gid and --match-primary-gid-to-mapped-account
--use-voms-gid and --do-not-map-primary-gid
--use-voms-gid and --match-primary-gid-to-mapped-account
--use-voms-gid and --add-secondary-gids-from-mapped-account
- New option to "voms_poolaccount":
--require-primary-gid:
This was the old default. The voms_poolaccount plugin expects to
have access to an already mapped primary Unix group ID from a
previously executed plug-in. The primary Unix group ID and the
secondary Unix group IDs were used to form the poolindex entry for
in the gridmapdir and poolaccount procurement process.
--do-not-require-primary-gid:
The new DEFAULT. The voms_poolaccount plugin does not expect a
primary Unix group ID to be set by another plug-in. At the time of
the poolindex construction and account procurement process from the
gridmapdir the primary Unix group ID is *NOT* used when not yet
set. If another plugin did set a primary Unix group ID, then this
is going to be used too.
Applying this setting provides the opportunity to us the
"--map-to-secondary-groups" option to the "voms_localaccount" and
"voms_poolaccount" and let the primary Unix group ID from the
"--add-primary-gid-from-mapped-account" work as advertised.
Version 1.4.6:
- Moving the debug message more to the background into the debug stream.
For all LCMAPS plugins:
- Updated the gridmapfile and gridmapdir code to signal that the gridmapdir is not setup properly or full in the logfile. This message was lost. Updated all other localaccount and poolaccount plug-in logging as well to be less verbose and to the point for debugging purposes.
Generic to all components:
- adjusted to be able to use EPEL, EMI and gLite packages and system native library installations
- cleanup of unused files and support for distribution tarball.
- provide pkg-config files
- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h
|
