File: libXrdVoms.1

package info (click to toggle)
xrootd 5.9.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 25,956 kB
  • sloc: cpp: 244,425; sh: 2,691; python: 1,980; ansic: 1,027; perl: 814; makefile: 272
file content (140 lines) | stat: -rw-r--r-- 4,450 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
.TH libXrdVoms 1 "@XRootD_VERSION_STRING@"
.SH NAME
libXrdVoms - XRootD plug-in to extract VOMS attributes
.SH SYNOPSIS
.nf
sec.protparm gsi -vomsfun:\fBlibXrdVoms.so\fR
sec.protparm gsi -vomsfunparms:\fIoptions\fR
.fi

.SH DESCRIPTION
The \fBlibXrdVoms\fR plug-in provides an implementation of the

.nf
int XrdSecgsiVOMSFun(XrdSecEntity &ent)
int XrdSecgsiVOMSInit(const char *cfg)
.fi

functions making use of the official VOMS API libraries to validate and extract the VOMS attributes from a VOMS proxy.

.SH OPTIONS
The following options are available:

\fBcertfmt={raw,pem,x509}\fR
.RS 2
Certificate format: \fBraw\fR to be used with XrdCrypto tools; \fBpem\fR PEM base64 format (as in cert files); \fBx509\fR, as a STACK_OF(X509). Default: \fBraw\fR.
.RE

\fBgrpopt=opt\fR
.RS 2
Defines how to use the group names information; \fBopt\fR is defined as \fBsel\fR * 10 + \fBwhich\fR, with \fBsel\fR either \fB0\fR
(consider all the groups present in the VOMS extension)
or \fB1\fR (select among those groups specified by the \fBgrps\fR option; see below); \fBwhich\fR can be either \fB0\fR (take the first one)
or \fB1\fR (take the last) or \fB2\fR (take all, comma separated, and created a vertically sliced tuple; see \fBNOTES\fR below).
.RE

\fBgrps=grp1[,grp2,...]\fR
.RS 2
Group(s) for which the information is extracted; if specified, the grpopt \fBsel\fR is set to \fB1\fR regardless of the setting; see \fBNOTES\fR below.
.RE

\fBvos=vo1[,vo2,...]\fR
.RS 2
VOs to be considered; the first match is taken; see \fBNOTES\fR below.
.RE

\fBgrpfmt=fmtstring\fR, \fBrolefmt=fmtstring\fR, \fBvofmt=fmtstring\fR
.RS 2
String to be used to format the content of XrdSecEntity::grps, XrdSecEntity::role, XrdSecEntity::vorg, respectively.
These strings are optional and by default they are empty.
.RE
.RS 2
Recognized place holders in the above format strings:
.RE
.RS 5

.nf
<r>: role
<g>: group
<vo>: VO
<an>: Full Qualified Attribute Name
.fi

.RE
.RS 2
For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo> <an>" will inverse the group and role, and will add a space and the FQAN
in the vorg field of XrdSecEntity.
.RE

\fBdbg\fR
.RS 2
Force verbose mode.
.RE

Multiple options can be specified separated by '\fR|\fB'.

.SH NOTES

Specifying \fBgrps\fR or \fBvos\fR options forces a failure if the requested group and/or VO is not found. In this regard, this plug-in may
act as a sort of authorization filter. Note that most refined authorization based on VOMS information may be achieved using
the \fBlibXrdSecgsiAuthzVO\fR plug-in distributed with XRootD.

Option 'all' for the group selection (which=2) will generated a vertically sliced tuple including VO, group and role fields. For example, the following VOMS attributes

.nf
attribute : /atlas/de/Role=production/Capability=NULL
attribute : /atlas/de/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
.fi

would result in following content in the XrdSecEntity fields:

.nf
vorg: atlas atlas atlas
grps: /atlas/de /atlas/de /atlas
role: producton NULL NULL
.fi

The default XrdAcc will take its decision by checking in turn the triplets obtained slicing vertically this tuple.

.SH EXAMPLES

The following example shows how configure the plugin to select VO=cms, select the first group, use the PEM format for the proxy
and switch on debugging; it shows also how to specify multiple options, either on the same line or on multiple lines.
.RS 5

.nf
sec.protparm gsi -vomsfun:libXrdVoms.so
sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem
sec.protparm gsi -vomsfunparms:dbg
.fi

.SH FILES
The plug-in files are
.nf
lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so)\fR
include/xrootd/private/XrdVoms/XrdVoms.hh\fR
.fi

and are typically available under \fB/usr\fR.


.SH ENVIRONMENT
The environment \fBX509_VOMS_DIR\fR must be set to a valid directory; this is typically \fB/etc/grid-security/vomsdir\fR.

.SH DIAGNOSTICS
The \fBlibXrdVoms\fR plug-in requires \fBlibvomsapi.so\fR and the openssl libraries. In case of load failure it may be
useful to check with ldd if all the required dependencies are correctly resolved.

.SH LICENSE
LGPL; see http://www.gnu.org/licenses/.

.SH AUTHOR AND SUPPORT
The \fBlibXrdVoms\fR plug-in has been implemented by Gerardo Ganis (Gerardo.Ganis@cern.ch).
Any request for support should addressed via the project main web site
.ce
https://github.com/gganis/vomsxrd

or via the XRootD support site
.ce
https://github.com/xrootd/xrootd