libXrdVoms - Man Page
XRootD plug-in to extract VOMS attributes
Synopsis
sec.protparm gsi -vomsfun:libXrdVoms.so sec.protparm gsi -vomsfunparms:options
Description
The libXrdVoms plug-in provides an implementation of the
int XrdSecgsiVOMSFun(XrdSecEntity &ent) int XrdSecgsiVOMSInit(const char *cfg)
functions making use of the official VOMS API libraries to validate and extract the VOMS attributes from a VOMS proxy.
Options
The following options are available:
- certfmt={raw,pem,x509}
Certificate format: raw to be used with XrdCrypto tools; pem PEM base64 format (as in cert files); x509, as a STACK_OF(X509). Default: raw.
- grpopt=opt
Defines how to use the group names information; opt is defined as sel * 10 + which, with sel either 0 (consider all the groups present in the VOMS extension) or 1 (select among those groups specified by the grps option; see below); which can be either 0 (take the first one) or 1 (take the last) or 2 (take all, comma separated, and created a vertically sliced tuple; see Notes below).
- grps=grp1[,grp2,...]
Group(s) for which the information is extracted; if specified, the grpopt sel is set to 1 regardless of the setting; see Notes below.
- vos=vo1[,vo2,...]
VOs to be considered; the first match is taken; see Notes below.
- grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring
String to be used to format the content of XrdSecEntity::grps, XrdSecEntity::role, XrdSecEntity::vorg, respectively. These strings are optional and by default they are empty.
Recognized place holders in the above format strings:<r>: role <g>: group <vo>: VO <an>: Full Qualified Attribute Name
For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo> <an>" will inverse the group and role, and will add a space and the FQAN in the vorg field of XrdSecEntity.
- dbg
Force verbose mode.
Multiple options can be specified separated by '|'.
Notes
Specifying grps or vos options forces a failure if the requested group and/or VO is not found. In this regard, this plug-in may act as a sort of authorization filter. Note that most refined authorization based on VOMS information may be achieved using the libXrdSecgsiAuthzVO plug-in distributed with XRootD.
Option 'all' for the group selection (which=2) will generated a vertically sliced tuple including VO, group and role fields. For example, the following VOMS attributes
attribute : /atlas/de/Role=production/Capability=NULL attribute : /atlas/de/Role=NULL/Capability=NULL attribute : /atlas/Role=NULL/Capability=NULL
would result in following content in the XrdSecEntity fields:
vorg: atlas atlas atlas grps: /atlas/de /atlas/de /atlas role: producton NULL NULL
The default XrdAcc will take its decision by checking in turn the triplets obtained slicing vertically this tuple.
Examples
The following example shows how configure the plugin to select VO=cms, select the first group, use the PEM format for the proxy and switch on debugging; it shows also how to specify multiple options, either on the same line or on multiple lines.
sec.protparm gsi -vomsfun:libXrdVoms.so sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem sec.protparm gsi -vomsfunparms:dbg
Files
The plug-in files are
lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so) include/xrootd/private/XrdVoms/XrdVoms.hh
and are typically available under /usr.
Environment
The environment X509_VOMS_DIR must be set to a valid directory; this is typically /etc/grid-security/vomsdir.
Diagnostics
The libXrdVoms plug-in requires libvomsapi.so and the openssl libraries. In case of load failure it may be useful to check with ldd if all the required dependencies are correctly resolved.
License
LGPL; see http://www.gnu.org/licenses/.
Author and Support
The libXrdVoms plug-in has been implemented by Gerardo Ganis (Gerardo.Ganis@cern.ch). Any request for support should addressed via the project main web site
https://github.com/gganis/vomsxrd
or via the XRootD support site
Referenced By
The man page libXrdSecgsiVOMS(1) is an alias of libXrdVoms(1).