Lcmaps plugin to switch user identity based on voms credentials by pool groups
lcmaps_voms_poolgroup.mod [-groupmapfile groupmapfile] [-groupmapdir groupmapdir] [--map-to-secondary-groups] [-override_inconsistency] [-mapall] [-mapmin number of minimal mappings] [-strict_poolprefix_match yes_or_no]
This VOMS poolgroup acquisition plugin is a 'VOMS-aware' modification of the lcmaps_poolgroup.mod.8 plugin. The plugin tries to find a local group (more specifically a GroupID) based on the VOMS information that has available from the LCMAPS, in particular the Fully Qualified Attribute Names (FQAN). The group is acquired from an group pool. The groups in the group-pool must exist on the system, either locally or through a centralized account database, e.g. LDAP.
The groupmapdir directory is going to be used as a persistent and open mapping database. A pool is defined as being a set of groups following a particular pattern in their naming, i.e. pool001 or atlas001. In the directory the plug-in will make a new filename build-up VOMS FQAN in URL-encode form:
Example showing the output of ls -li:
1836080 -rw-r--r-- 2 root root %2fdteam%2f
1836080 -rw-r--r-- 2 root root dteam001
This filename is hardlinked to the mapped groupname. Creating this hardlink is designed to be an atomic operation and verified to work on large installations serving multiple services from one NFS-share.
The VOMS credentials need to be available from the LCMAPS framework.
This option is used to determine the groupmapfile path. The plug-in will open the file and use the content for the FQAN to Group ID mapping. The same formatting rules of the grid-mapfile apply to the groupmapfile. Provide a full path.
A directory used for the group mapping database, similar to the gridmapdir. It is important to not mix the gridmapdir and groupmapdir directories.
When enabled, the plug-in will map all the FQANs of the user to secondary Group IDs. There will be no primary Group ID set by this plug-in when enabled.
If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name, and when the gridmapfile states that this user needs to move to another pool, then the plug-in will remap the user to the new pool. Without this option the plug-in will fail if an existing mapping for the user credentials exist, but do not map the configured mapping pool.
When enabled, a failure will be triggered if not all of the FQANs could be mapped to primary or secondary Group IDs.
-mapmin number of minimal mappings
This option will set a minimum amount of groups that have to be resolved for later mapping. If the minimum is not set then the minimum amount is set to '0' by default. If the plugin is not able to the required number of poolgroups it will fail. Note: if the minimum is set to zero or the minimum is not set the plugin will return a success if no other errors occur, even if no poolgroups were found.
If this is set to 'yes', a line in the groupmapfile like <FQAN> .poolgr will result in groups matching the regexp poolgr[0-9]+. Otherwise it will be allowed to match poolgr.* (legacy behaviour).
Please report any errors to the Nikhef Grid Middleware Security Team <[email protected]>.
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <[email protected]>.