1libXrdVoms(1)               General Commands Manual              libXrdVoms(1)
2
3
4

NAME

6       libXrdVoms - XRootD plug-in to extract VOMS attributes
7

SYNOPSIS

9       sec.protparm gsi -vomsfun:libXrdVoms.so
10       sec.protparm gsi -vomsfunparms:options
11
12

DESCRIPTION

14       The libXrdVoms plug-in provides an implementation of the
15
16       int XrdSecgsiVOMSFun(XrdSecEntity &ent)
17       int XrdSecgsiVOMSInit(const char *cfg)
18
19       functions making use of the official VOMS API libraries to validate and
20       extract the VOMS attributes from a VOMS proxy.
21
22

OPTIONS

24       The following options are available:
25
26       certfmt={raw,pem,x509}
27         Certificate format: raw to be used  with  XrdCrypto  tools;  pem  PEM
28         base64 format (as in cert files); x509, as a STACK_OF(X509). Default:
29         raw.
30
31       grpopt=opt
32         Defines how to use the group names information; opt is defined as sel
33         *  10  + which, with sel either 0 (consider all the groups present in
34         the VOMS extension) or 1 (select among those groups specified by  the
35         grps  option;  see below); which can be either 0 (take the first one)
36         or 1 (take the last) or 2 (take all, comma separated, and  created  a
37         vertically sliced tuple; see NOTES below).
38
39       grps=grp1[,grp2,...]
40         Group(s)  for  which  the information is extracted; if specified, the
41         grpopt sel is set to 1 regardless of the setting; see NOTES below.
42
43       vos=vo1[,vo2,...]
44         VOs to be considered; the first match is taken; see NOTES below.
45
46       grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring
47         String to be used to format the content of XrdSecEntity::grps, XrdSe‐
48         cEntity::role,  XrdSecEntity::vorg,  respectively.  These strings are
49         optional and by default they are empty.
50         Recognized place holders in the above format strings:
51
52            <r>: role
53            <g>: group
54            <vo>: VO
55            <an>: Full Qualified Attribute Name
56
57         For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo>  <an>"  will  inverse
58         the  group  and  role,  and will add a space and the FQAN in the vorg
59         field of XrdSecEntity.
60
61       dbg
62         Force verbose mode.
63
64       Multiple options can be specified separated by '|'.
65
66

NOTES

68       Specifying grps or vos options forces a failure if the requested  group
69       and/or  VO is not found. In this regard, this plug-in may act as a sort
70       of authorization filter. Note that most refined authorization based  on
71       VOMS  information may be achieved using the libXrdSecgsiAuthzVO plug-in
72       distributed with XRootD.
73
74       Option 'all' for the group selection (which=2) will generated a  verti‐
75       cally  sliced  tuple  including VO, group and role fields. For example,
76       the following VOMS attributes
77
78       attribute : /atlas/de/Role=production/Capability=NULL
79       attribute : /atlas/de/Role=NULL/Capability=NULL
80       attribute : /atlas/Role=NULL/Capability=NULL
81
82       would result in following content in the XrdSecEntity fields:
83
84       vorg: atlas atlas atlas
85       grps: /atlas/de /atlas/de /atlas
86       role: producton NULL NULL
87
88       The default XrdAcc will take its decision by checking in turn the trip‐
89       lets obtained slicing vertically this tuple.
90
91

EXAMPLES

93       The  following example shows how configure the plugin to select VO=cms,
94       select the first group, use the PEM format for the proxy and switch  on
95       debugging; it shows also how to specify multiple options, either on the
96       same line or on multiple lines.
97
98            sec.protparm gsi -vomsfun:libXrdVoms.so
99            sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem
100            sec.protparm gsi -vomsfunparms:dbg
101
102

FILES

104       The plug-in files are
105       lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so)
106       include/xrootd/private/XrdVoms/XrdVoms.hh
107
108       and are typically available under /usr.
109
110
111

ENVIRONMENT

113       The environment X509_VOMS_DIR must be set to a valid directory; this is
114       typically /etc/grid-security/vomsdir.
115
116

DIAGNOSTICS

118       The  libXrdVoms  plug-in  requires  libvomsapi.so  and  the openssl li‐
119       braries. In case of load failure it may be useful to check with ldd  if
120       all the required dependencies are correctly resolved.
121
122

LICENSE

124       LGPL; see http://www.gnu.org/licenses/.
125
126

AUTHOR AND SUPPORT

128       The  libXrdVoms  plug-in  has  been  implemented by Gerardo Ganis (Ger‐
129       ardo.Ganis@cern.ch).  Any request for support should addressed via  the
130       project main web site
131                          https://github.com/gganis/vomsxrd
132
133       or via the XRootD support site
134                          https://github.com/xrootd/xrootd
135
136
137
138                                    v5.2.0                       libXrdVoms(1)
Impressum