libXrdVoms(1) | General Commands Manual | libXrdVoms(1) |
libXrdVoms - XRootD plug-in to extract VOMS attributes
sec.protparm gsi -vomsfun:libXrdVoms.so sec.protparm gsi -vomsfunparms:options
The libXrdVoms plug-in provides an implementation of the
int XrdSecgsiVOMSFun(XrdSecEntity &ent) int XrdSecgsiVOMSInit(const char *cfg)
functions making use of the official VOMS API libraries to validate and extract the VOMS attributes from a VOMS proxy.
The following options are available:
certfmt={raw,pem,x509}
grpopt=opt
grps=grp1[,grp2,...]
vos=vo1[,vo2,...]
grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring
<r>: role <g>: group <vo>: VO <an>: Full Qualified Attribute Name
dbg
Multiple options can be specified separated by '|'.
Specifying grps or vos options forces a failure if the requested group and/or VO is not found. In this regard, this plug-in may act as a sort of authorization filter. Note that most refined authorization based on VOMS information may be achieved using the libXrdSecgsiAuthzVO plug-in distributed with XRootD.
Option 'all' for the group selection (which=2) will generated a vertically sliced tuple including VO, group and role fields. For example, the following VOMS attributes
attribute : /atlas/de/Role=production/Capability=NULL attribute : /atlas/de/Role=NULL/Capability=NULL attribute : /atlas/Role=NULL/Capability=NULL
would result in following content in the XrdSecEntity fields:
vorg: atlas atlas atlas grps: /atlas/de /atlas/de /atlas role: producton NULL NULL
The default XrdAcc will take its decision by checking in turn the triplets obtained slicing vertically this tuple.
The following example shows how configure the plugin to select VO=cms, select the first group, use the PEM format for the proxy and switch on debugging; it shows also how to specify multiple options, either on the same line or on multiple lines.
sec.protparm gsi -vomsfun:libXrdVoms.so sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem sec.protparm gsi -vomsfunparms:dbg
The plug-in files are
lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so) include/xrootd/private/XrdVoms/XrdVoms.hh
and are typically available under /usr.
The environment X509_VOMS_DIR must be set to a valid directory; this is typically /etc/grid-security/vomsdir.
The libXrdVoms plug-in requires libvomsapi.so and the openssl libraries. In case of load failure it may be useful to check with ldd if all the required dependencies are correctly resolved.
LGPL; see http://www.gnu.org/licenses/.
The libXrdVoms plug-in has been implemented by Gerardo
Ganis (Gerardo.Ganis@cern.ch). Any request for support should addressed via
the project main web site
https://github.com/gganis/vomsxrd
or via the XRootD support site
https://github.com/xrootd/xrootd
v5.0.3 |