globus_gss_assist_gridmap - Man Page

#define GlobusGssAssistFreeDNArray(dn_a)
Free array of distinguished names.

int globus_gss_assist_gridmap (char *globusidp, char **useridp)
Look up the default mapping for a Grid identity in a gridmap file.
int globus_gss_assist_userok (char *globusid, char *userid)
Gridmap entry existence check.
int globus_gss_assist_map_local_user (char *local_user, char **globusidp)
Look up the default Grid identity associated with a local user name.
globus_result_t globus_gss_assist_lookup_all_globusid (char *username, char **dns[], int *dn_count)
Look up all Grid IDs associated with a local user ID.
globus_result_t globus_gss_assist_map_and_authorize (gss_ctx_id_t context, char *service, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length)
Authorize the peer of a security context to use a service.
globus_result_t globus_gss_assist_map_and_authorize_sharing (char *shared_user_certificate, gss_ctx_id_t context, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length)
Authorize a particular credential for shared access.

Free array of distinguished names. Free the contents of a name array created during a successful call to globus_gss_assist_lookup_all_globusid()

Parameters

dn_a Array of names to free.

Return values

void

Look up the default mapping for a Grid identity in a gridmap file. The globus_gss_assist_gridmap() function parses the default gridmap file and modifies its useridp parameter to point to a copy of the string containing the default local identity that the grid identity is mapped to. If successful, the caller is responsible for freeing the string pointed to by useridp.

By default, globus_gss_assist_gridmap() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

globusidp The GSSAPI name string of the identity who requested authorization
useridp A pointer to a string to be set to the default user ID for the local system. No validation is done to check that such a user exists.

Returns

On success, globus_gss_assist_gridmap() returns 0 and modifies the the string pointed to by the useridp parameter. If an error occurs, a non-zero value is returned and the value pointed to by useridp is undefined.

Return values

GLOBUS_SUCCESS Success
1 Error

Look up all Grid IDs associated with a local user ID. The globus_gss_assist_lookup_all_globusid() function parses a gridmap file and finds all Grid IDs that map to a local user ID. The dns parameter is modified to point to an array of Grid ID strings from the gridmap file, and the dn_count parameter is modified to point to the number of Grid ID strings in the array. The caller is responsible for freeing the array using the macro GlobusGssAssistFreeDNArray().

By default, globus_gss_assist_lookup_all_globusid() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

username The local username to look up in the gridmap file.
dns A pointer to an array of strings. This function modifies this to point to a newly allocated array of strings. The caller must use the macro GlobusGssAssistFreeDNArray() to free this memory.
dn_count A pointer to an integer that is modified to contain the number of entries in the array returned via the dns parameter.

Returns

On success, globus_gss_assist_lookup_all_globusid() returns GLOBUS_SUCCESS and modifies its dns and dn_count parameters as described above. If an error occurs, globus_gss_assist_lookup_all_globusid() returns a globus_result_t that can be resolved to an error object and the values pointed to by dns and dn_count are undefined.

Return values

GLOBUS_SUCCESS Success
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_ARGUMENTS Error with arguments
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_GRIDMAP Invalid path to gridmap
GLOBUS_GSI_GSS_ASSIST_ERROR_ERRNO System error

Authorize the peer of a security context to use a service. The globus_gss_assist_map_and_authorize() function attempts to authorize the peer of a security context to use a particular service. If the desired_identity parameter is non-NULL, the authorization will succeed only if the peer is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.

If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.

If globus_gss_assist_map_and_authorize() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

context Security context to inspect for peer identity information.
service A NULL-terminated string containing the name of the service that an authorization decision is being made for.
desired_identity Optional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string.
identity_buffer A pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as.
identity_buffer_length Length of the identity_buffer array.

Returns

On success, globus_gss_assist_map_and_authorize() returns GLOBUS_SUCCESS and copies the authorized local identity to the identity_buffer parameter. If an error occurs, globus_gss_assist_map_and_authorize() returns a globus_result_t that can be resolved to an error object.

Return values

GLOBUS_SUCCESS Success
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIG Invalid authorization configuration file
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLE
Hash table operation failed.
GLOBUS_CALLOUT_ERROR_CALLOUT_ERROR The callout itself returned a error.
GLOBUS_CALLOUT_ERROR_WITH_DL Dynamic library operation failed.
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORY Out of memory
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERROR A GSSAPI function returned an error
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILED Gridmap lookup failure
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALL Caller provided insufficient buffer space for local identity

Authorize a particular credential for shared access. The globus_gss_assist_map_and_authorize_sharing() function attempts to authorize a particular credential for shared access. the desired_identity parameter is non-NULL, the authorization will succeed only if the credential is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.

If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize_sharing() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.

If globus_gss_assist_map_and_authorize_sharing() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

shared_user_certificate cert and cert chain of user that owns the resources to be shared, in PEM format. This will be parsed to find the identity that should be mapped.
context Security context of the underlying connection. This should generally be ignored.
desired_identity Optional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string.
identity_buffer A pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as.
identity_buffer_length Length of the identity_buffer array.

Returns

On success, globus_gss_assist_map_and_authorize_sharing() returns GLOBUS_SUCCESS and copies the authorized local identity to the identity_buffer parameter. If an error occurs, globus_gss_assist_map_and_authorize_sharing() returns a globus_result_t that can be resolved to an error object.

Return values

GLOBUS_SUCCESS Success
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIG Invalid authorization configuration file
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLE
Hash table operation failed.
GLOBUS_CALLOUT_ERROR_CALLOUT_ERROR The callout itself returned a error.
GLOBUS_CALLOUT_ERROR_WITH_DL Dynamic library operation failed.
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORY Out of memory
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERROR A GSSAPI function returned an error
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILED Gridmap lookup failure
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALL Caller provided insufficient buffer space for local identity

Look up the default Grid identity associated with a local user name. The globus_gss_assist_map_local_user() function parses the gridmap file to determine a if the user name passed as the local_user parameter is the default local user for a Grid ID in the gridmap file. If so, it modifies globusidp to point to a copy of that ID. Otherwise, it searches the gridmap file for a Grid ID that has a non-default mapping for local_user and modifies globusidp to point to a copy of that ID. If successful, the caller is responsible for freeing the string pointed to by the globusidp pointer.

By default, globus_gss_assist_map_local_user() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

local_user The local username to find a Grid ID for
globusidp A Grid ID that maps from the local_user.

Returns

On success, globus_gss_assist_map_local_user() returns 0 and modifies globusidp to point to a Grid ID that maps to local_user; otherwise, globus_gss_assist_map_local_user() returns 1 and the value pointed to by globusidp is undefined.

Return values

GLOBUS_SUCCESS Success
1 Error

Gridmap entry existence check. The globus_gss_assist_userok() function parses the default gridmap file and checks whether any mapping exists for the grid identity passed as the globusid parameter and the local user identity passed as the @ userid parameter.

By default, globus_gss_assist_userok() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters

globusid The GSSAPI name string of the identity who requested authorization
userid The local account name that access is sought for.

Returns

If globus_gss_assist_userok() is able to find a mapping between globusid and userid, it returns 0; otherwise it returns 1.

Return values

GLOBUS_SUCCESS Success
1 Error