lunar (1) libXrdSecgsiVOMS.1.gz

Provided by: xrootd-voms-plugins_5.5.3-1_amd64 bug

NAME

       libXrdVoms - XRootD plug-in to extract VOMS attributes

SYNOPSIS

       sec.protparm gsi -vomsfun:libXrdVoms.so
       sec.protparm gsi -vomsfunparms:options

DESCRIPTION

       The libXrdVoms plug-in provides an implementation of the

       int XrdSecgsiVOMSFun(XrdSecEntity &ent)
       int XrdSecgsiVOMSInit(const char *cfg)

       functions  making  use of the official VOMS API libraries to validate and extract the VOMS
       attributes from a VOMS proxy.

OPTIONS

       The following options are available:

       certfmt={raw,pem,x509}
         Certificate format: raw to be used with XrdCrypto tools; pem PEM base64  format  (as  in
         cert files); x509, as a STACK_OF(X509). Default: raw.

       grpopt=opt
         Defines how to use the group names information; opt is defined as sel * 10 + which, with
         sel either 0 (consider all the groups present in the VOMS extension) or 1 (select  among
         those  groups  specified by the grps option; see below); which can be either 0 (take the
         first one) or 1 (take the  last)  or  2  (take  all,  comma  separated,  and  created  a
         vertically sliced tuple; see NOTES below).

       grps=grp1[,grp2,...]
         Group(s)  for which the information is extracted; if specified, the grpopt sel is set to
         1 regardless of the setting; see NOTES below.

       vos=vo1[,vo2,...]
         VOs to be considered; the first match is taken; see NOTES below.

       grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring
         String to be used to  format  the  content  of  XrdSecEntity::grps,  XrdSecEntity::role,
         XrdSecEntity::vorg,  respectively.   These  strings are optional and by default they are
         empty.
         Recognized place holders in the above format strings:

            <r>: role
            <g>: group
            <vo>: VO
            <an>: Full Qualified Attribute Name

         For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo> <an>" will inverse the group  and  role,
         and will add a space and the FQAN in the vorg field of XrdSecEntity.

       dbg
         Force verbose mode.

       Multiple options can be specified separated by '|'.

NOTES

       Specifying  grps  or  vos options forces a failure if the requested group and/or VO is not
       found. In this regard, this plug-in may act as a sort of authorization filter.  Note  that
       most   refined  authorization  based  on  VOMS  information  may  be  achieved  using  the
       libXrdSecgsiAuthzVO plug-in distributed with XRootD.

       Option 'all' for the group selection (which=2) will generated a  vertically  sliced  tuple
       including VO, group and role fields. For example, the following VOMS attributes

       attribute : /atlas/de/Role=production/Capability=NULL
       attribute : /atlas/de/Role=NULL/Capability=NULL
       attribute : /atlas/Role=NULL/Capability=NULL

       would result in following content in the XrdSecEntity fields:

       vorg: atlas atlas atlas
       grps: /atlas/de /atlas/de /atlas
       role: producton NULL NULL

       The  default  XrdAcc  will  take  its  decision  by checking in turn the triplets obtained
       slicing vertically this tuple.

EXAMPLES

       The following example shows how configure the plugin to select VO=cms,  select  the  first
       group,  use  the  PEM  format  for the proxy and switch on debugging; it shows also how to
       specify multiple options, either on the same line or on multiple lines.

            sec.protparm gsi -vomsfun:libXrdVoms.so
            sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem
            sec.protparm gsi -vomsfunparms:dbg

FILES

       The plug-in files are
       lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so)
       include/xrootd/private/XrdVoms/XrdVoms.hh

       and are typically available under /usr.

ENVIRONMENT

       The environment X509_VOMS_DIR must  be  set  to  a  valid  directory;  this  is  typically
       /etc/grid-security/vomsdir.

DIAGNOSTICS

       The  libXrdVoms  plug-in requires libvomsapi.so and the openssl libraries. In case of load
       failure it may be useful to check with ldd if all the required dependencies are  correctly
       resolved.

LICENSE

       LGPL; see http://www.gnu.org/licenses/.

AUTHOR AND SUPPORT

       The libXrdVoms plug-in has been implemented by Gerardo Ganis (Gerardo.Ganis@cern.ch).  Any
       request for support should addressed via the project main web site
                                   https://github.com/gganis/vomsxrd

       or via the XRootD support site
                                    https://github.com/xrootd/xrootd

                                              v5.5.3                                libXrdVoms(1)