Gridmap Account Mapping Proposal

In order to support proxy without AC, it should be possible to map the user primary group based on his DN.

Requirements

1. Allow DNs based group (pool account, static) mapping in the group mapfile
2. Configuration options:
   • preferDNForLoginName if a FQAN and a DN mapping exist for the login name, prefer the DN based mapping
   • preferDNForPrimaryGroup - works the same as preferDNForLoginName but for the primary group.
   • noPrimaryGroupIsError - indicates that the failure to find a mapping in the group map file causes the obligation handling (and thus the overall authorization process) to fail.
3. Allow the Argus server to send back the login name with or without group names. The resolution of names to numeric IDs would continue to occur on the authorization client side.

User and Group Mapping Process

• user-id is the user login name
• group-id is the user primary group
• group-ids[] is a list of secondary groups

Pseudo Code

//
// Username mapping
//
dn_user-id :=  first DN mapping from grid mapfile
fqan_user-id := first primary FQAN mapping from grid mapfile

if preferDNForLoginName and dn_user-id not NULL then
   user-id := dn_user-id
else
   user-id := fqan_user-id

if user-id is NULL then fail

//
// Primary and secondary groups mapping
//
dn_groups[] := all DN mapping from group mapfile (in order)
fqan_groups[] := all FQANs mapping from group mapfile (in order)

if preferDNForPrimaryGroup and dn_groups[] not empty then
   group-id := first element of dn_groups[]
else
   group-id := first element of fqan_groups[]

if noPrimaryGroupIsError and group-id is NULL then fail

group-ids[] := fqan_groups[] + dn_groups[]