Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Unified Map File syntax with ASSUME_HASH_KEYS?
- Date: Fri, 31 Mar 2023 19:07:50 +0000
- From: John M Knoeller <johnkn@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Unified Map File syntax with ASSUME_HASH_KEYS?
Think of it this way, both / and " both count as "quote marks" for purposes of this question.
So wrapping the field with either // or "" counts as quoting the field.
The outer // or "" are always removed, what is inside the outer quotes is the field text.
If the field does not start with either form of quote then a space ends the field
Whether the field is then treated as a regex pattern or a literal hash key then depends on CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS
When CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS=false Then *all* keys are regexes regardless of how, (or if) they are quoted.
When CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS=true, then only keys that are quoted with // are regexes all other fields are hash keys
So
- If we wrap a regex in / âquotesâ, do we still need double quotes if there are spaces?
No
- If CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is True and we use double quotes, is this then considered a regex, a plain string *inside* quotes, or a plain string *with* quotes? (E.g. would `âfoo \darâ` match `foo 6ar`, `foo \dar` or `âfoo \darâ`?)
It is a plain string inside quotes, it would match your middle example : `foo \dar`
- Generally, if CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is True and we want a literal/string match containing spaces, do we need quotes at all? (E.g. would `GSI foo bar someone@domain` match the DN `foo bar`?) Can/must we escape the leading / of a literal string?
No it would not match. With assume-has-keys=true
This would parse as
TYPE=GSI
HASHKEY=foo
CANOCALIZATION=bar
JUNK-AFTER-THE-END=someone@domain
Conversely `GSI "foo bar" someone@domain` would parse as
TYPE=GSI
HASHKEY=foo bar
CANOCALIZATION=someone@domain
And `GSI /foo bar/ someone@domain` would parse as
TYPE=GSI
REGEX=foo bar
CANOCALIZATION=someone@domain
-tj
-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Fischer, Max (SCC)
Sent: Friday, March 31, 2023 10:49 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Unified Map File syntax with ASSUME_HASH_KEYS?
Hi all,
I am trying to grok how exactly the HTCondor (CE) mapfile syntax is. We currently have a rather paranoid mapfile usage in which everything is a regex but everything is escaped, and this is getting unwieldy.
Specifically, I am wondering how for complex identities the /-/ âregex quotesâ, regular quotes and CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS interact. The docs [0] seem to only enumerate a few cases but not explain the syntax fully.
The respective parts from from the docs are:
- If CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is True, then / âquotesâ are needed to indicate an authenticated name regex.
- If a regex contains spaces, it can be wrapped in double quotes.
What is unclear to me:
- If we wrap a regex in / âquotesâ, do we still need double quotes if there are spaces?
- If CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is True and we use double quotes, is this then considered a regex, a plain string *inside* quotes, or a plain string *with* quotes? (E.g. would `âfoo \darâ` match `foo 6ar`, `foo \dar` or `âfoo \darâ`?)
- Generally, if CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is True and we want a literal/string match containing spaces, do we need quotes at all? (E.g. would `GSI foo bar someone@domain` match the DN `foo bar`?) Can/must we escape the leading / of a literal string?
Cheers,
Max
[0] The Unified Map File for Authentication
https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#the-unified-map-file-for-authentication