libXrdVoms - Man Page

XRootD plug-in to extract VOMS attributes

Synopsis

sec.protparm gsi -vomsfun:libXrdVoms.so
sec.protparm gsi -vomsfunparms:options

Description

The libXrdVoms plug-in provides an implementation of the

int XrdSecgsiVOMSFun(XrdSecEntity &ent)
int XrdSecgsiVOMSInit(const char *cfg)

functions making use of the official VOMS API libraries to validate and extract the VOMS attributes from a VOMS proxy.

Options

The following options are available:

certfmt={raw,pem,x509}

Certificate format: raw to be used with XrdCrypto tools; pem PEM base64 format (as in cert files); x509, as a STACK_OF(X509). Default: raw.

grpopt=opt

Defines how to use the group names information; opt is defined as sel * 10 + which, with sel either 0 (consider all the groups present in the VOMS extension) or 1 (select among those groups specified by the grps option; see below); which can be either 0 (take the first one) or 1 (take the last) or 2 (take all, comma separated, and created a vertically sliced tuple; see Notes below).

grps=grp1[,grp2,...]

Group(s) for which the information is extracted; if specified, the grpopt sel is set to 1 regardless of the setting; see Notes below.

vos=vo1[,vo2,...]

VOs to be considered; the first match is taken; see Notes below.

grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring

String to be used to format the content of XrdSecEntity::grps, XrdSecEntity::role, XrdSecEntity::vorg, respectively. These strings are optional and by default they are empty.
Recognized place holders in the above format strings:

<r>: role
<g>: group
<vo>: VO
<an>: Full Qualified Attribute Name

For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo> <an>" will inverse the group and role, and will add a space and the FQAN in the vorg field of XrdSecEntity.

dbg

Force verbose mode.

Multiple options can be specified separated by '|'.

Notes

Specifying grps or vos options forces a failure if the requested group and/or VO is not found. In this regard, this plug-in may act as a sort of authorization filter. Note that most refined authorization based on VOMS information may be achieved using the libXrdSecgsiAuthzVO plug-in distributed with XRootD.

Option 'all' for the group selection (which=2) will generated a vertically sliced tuple including VO, group and role fields. For example, the following VOMS attributes

attribute : /atlas/de/Role=production/Capability=NULL
attribute : /atlas/de/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL

would result in following content in the XrdSecEntity fields:

vorg: atlas atlas atlas
grps: /atlas/de /atlas/de /atlas
role: producton NULL NULL

The default XrdAcc will take its decision by checking in turn the triplets obtained slicing vertically this tuple.

Examples

The following example shows how configure the plugin to select VO=cms, select the first group, use the PEM format for the proxy and switch on debugging; it shows also how to specify multiple options, either on the same line or on multiple lines.

sec.protparm gsi -vomsfun:libXrdVoms.so
sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem
sec.protparm gsi -vomsfunparms:dbg

Files

The plug-in files are

lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so)
include/xrootd/private/XrdVoms/XrdVoms.hh

and are typically available under /usr.

Environment

The environment X509_VOMS_DIR must be set to a valid directory; this is typically /etc/grid-security/vomsdir.

Diagnostics

The libXrdVoms plug-in requires libvomsapi.so and the openssl libraries. In case of load failure it may be useful to check with ldd if all the required dependencies are correctly resolved.

License

LGPL; see http://www.gnu.org/licenses/.

Author and Support

The libXrdVoms plug-in has been implemented by Gerardo Ganis (Gerardo.Ganis@cern.ch). Any request for support should addressed via the project main web site

https://github.com/gganis/vomsxrd

or via the XRootD support site

https://github.com/xrootd/xrootd

Referenced By

The man page libXrdSecgsiVOMS(1) is an alias of libXrdVoms(1).

v5.7.2