Gridmap Account Mapping Proposal
In order to support proxy without AC, it should be possible to map the user primary group based on his DN.
Requirements
- Allow DNs based group (pool account, static) mapping in the group mapfile
- Configuration options:
-
preferDNForLoginName
if a FQAN and a DN mapping exist for the login name, prefer the DN based mapping
-
preferDNForPrimaryGroup
- works the same as preferDNForLoginName but for the primary group.
-
noPrimaryGroupIsError
- indicates that the failure to find a mapping in the group map file causes the obligation handling (and thus the overall authorization process) to fail.
- Allow the Argus server to send back the login name with or without group names. The resolution of names to numeric IDs would continue to occur on the authorization client side.
User and Group Mapping Process
-
user-id
is the user login name
-
group-id
is the user primary group
-
group-ids[]
is a list of secondary groups
Pseudo Code
//
// Username mapping
//
dn_user-id := first DN mapping from grid mapfile
fqan_user-id := first primary FQAN mapping from grid mapfile
if preferDNForLoginName and dn_user-id not NULL then
user-id := dn_user-id
else
user-id := fqan_user-id
if user-id is NULL then fail
//
// Primary and secondary groups mapping
//
dn_groups[] := all DN mapping from group mapfile (in order)
fqan_groups[] := all FQANs mapping from group mapfile (in order)
if preferDNForPrimaryGroup and dn_groups[] not empty then
group-id := first element of dn_groups[]
else
group-id := first element of fqan_groups[]
if noPrimaryGroupIsError and group-id is NULL then fail
group-ids[] := fqan_groups[] + dn_groups[]