lcmaps_voms_poolgroup.mod -GROUPMAPFILE|-groupmapfile|-GROUPMAP|-groupmap <groupmapfile> [-mapall] -GROUPMAPDIR|-groupmapdir <groupmapdir>
The poolgroup acquisition plugin is a voms-'aware' plugin. The plugin's main purpose is to gather credential information from the given Voms \bAcquisition plugin. This plugin will gather a primary GID and additional secundary GIDs. In the credential data datastructure in the Plugin Manager are all the VO-GROUP-ROLE(-CAPABILITY) values stored. This plugin will get this data and compare all the VO-GROUP-ROLE values with the row entries in a file that is by default known as '\bgroupmapfile'. The plugin will lookup each value (a VO-GROUP-ROLE combination) and will search in the groupmapfile for a match. Wildcards can be used in the groupmapfile to match VO-GROUP-ROLE combinations.
EXAMPLE 'groupmapfile':
/VO=atlas/GROUP=mcprod mcprod
/VO=atlas/GROUP=mcprod .atlas
/VO=atlas/GROUP=dev .atlas
/VO=atlas/GROUP=* .atlas
/VO=atlas/GROUP=mcprod as VO-GROUP combination starts with a alfanumeric character (not a point or dot) and indicates a localgroup entry in the groupmapfile. The /VO=atlas/GROUP=* as VO-GROUP combi. secification indicates that all users from the Atlas VO with every other group than 'mcprod' will be mapped to the '.atlas' pool of (system) groups. Just like the \ipoolaccount\i plugin this plugin will link a entry (in this case a VO-GROUP-ROLE combination) to a locally known group (from this 'atlas'-pool there for a.k.a. pool group). This mapping between the VO-GROUP-ROLE combination and a pool group will be made with the use of 'multiple filename linking to a i-node'. For more information about this way of linking information in a filename to a i-node that represents a specific values please look at the poolaccount way of working. The difference with the poolaccount is that there is not a Distinghuished Name but a VO-GROUP-ROLE combination and there is no poolaccount but poolgroup defined in de groupmapfile (simulaire to the grid-mapfile). Also there is a new directory in use of this plugin. This directory is called (by default) \igroupdmapdir\i. This directory holds the i-nodes that are used for the mapping between poolgroups and the VO-GROUP-ROLE combination.
As you can see the in the example the 'mcprod' GROUP can be found by using the localgroup plugin and the poolgroup plugin. With the poolgroup plugin there can be made a mapping between '/VO=atlas/GROUP=mcprod' and the group 'atlas001' (based on the .atlas pool). The '/VO=atlas/GROUP=dev' entry will also get a group from this '.atlas' pool but will be mapped to a different group like 'atlas002'. Last but not least we have random other groups not predefined in the groupmapfile like '/VO=atlas/GROUP=foo'. This VO-GROUP combi. will be found with the '/VO=atlas/GROUP=*' row in the groupmapfile. This VO-GROUP combi. will be mapped to a poolgroup (probably) called 'atlas003'. If someone makes use of a VO-GROUP combi. like '/VO=atlas/GROUP=bar' it will find an link in the i-node structure between '/VO=atlas/GROUP=*' and 'atlas003' indicating that '/VO=atlas/GROUP=bar' will get 'atlas003' designated as a mapping for this voms data.
For every value in the Plugin Manager there will be a search in the groupmapfile. The first extracted and gathered VO-GROUP-ROLE combination will find it's way to be primary group. Unless there has been another plugin already run that filled up the primary group. The userinterface software has the possibility to set a userdefined order in the VOMS values that will be put on user's proxy certificate. With this feature the user can controle the primary group what could have more functionality in the future then of now (audit/billing/etc.).
OPTIONS
-GROUPMAPFILE <groupmapfile>
See -groupmap
-groupmapfile <groupmapfile>
See -groupmap
-GROUPMAP <groupmapfile>
See -groupmap
-groupmap <groupmapfile>
When this option is set in the initialization string it will override the default path of to the groupmapfile. It is advised to use a absolute path to the groupmapfile to avoid usage of the wrong file(path). When this option is set but without a path to the groupmapfile will fail the initialisation of the plugin and the plugin will not run untill it has been disposed and reloaded.
-GROUPMAPDIR <groupmapdir>
See -groupmapdir
-groupmapdir <groupmapdir>
Here you can override the default directory path to the 'groupmapdir'. This directory is just like the gridmapdir and holds all the poolgroup mappings that has/will be made by linking filenames to a i-node indicating a mapping between a VO-GROUP-ROLE combination and a (system) group or GID.
-mapall
If this parameter is set the plugin is forced to map all voms data entries to (system) groups and find there GID. If not all voms data (VO-GROUP-ROLE) entries on the certificate match with rows in the groupmapfile the plugin will fail. There is no communication between different plugins (like the localgroup plugin) about the failures. A log entry will state the VO-GROUP-ROLE combination what made the plugin fail.
SEE ALSO
lcmaps_ldap_enf.mod, lcmaps_poolaccount.mod, lcmaps_posix_enf.mod, lcmaps_voms.mod
1.2.8.1 written by Dimitri van Heesch,
© 1997-2001