Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] how to configure voms proxies wirh ssl for mapping

Dear condor team

I found the problem after a discussion with collegues at CNAF in different mail thread
was to wrong format of voms lsc files  ( which is a local conf issue)

your module ssl+voms still try to makes a verification via /usr/lib64/libvomsapi.so.1.0.0 library  methods
( libvomsapi under the voms DN only  in   compat format  ( e.g  openssl x509 -noout -subject -nameopt compat  )
( see at https://stackoverflow.com/questions/56130510/openssl-issuer-subject-format-differences)
best
e.v.



From: "emmanouil vamvakopoulos" <emmanouil.vamvakopoulos@xxxxxxxxxxxxxxx>
To: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
Sent: Thursday, 3 October, 2024 16:02:12
Subject: Re: how to configure voms proxies wirh ssl for mapping

Dear condor team

I made dozen of tests and I have issue with DN+voms mapping on $CondorVersion: 23.9.6 2024-08-08 BuildID: 748275 PackageID: 23.9.6-1 GitSHA: dfdd9eaa $ on AlmaLinux release 9.4 (Seafoam Ocelot)

SSL /\/DC=org\/DC=yyyyyy\/DC=xxx\/C=FR\/O=OUR ORG \/CN=my name my.name.x@xxxxxxxx,\/atlas\/.*/ atl000

SSL /\/DC=org\/DC=yyyyyy\/DC=xxx\/C=FR\/O=OUR ORG \/CN=my name my.name.x@xxxxxxx/ dte000

I can much only the DN part ( second rule) it is not possible to map dn and voms in any format ( " ... " or with regular _expression_ like  above )

we need this functionality as we have a use case where on robot DN support smany VOs  via different voms attributes

please could you have a look ?

I use 

CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS = True
AUTH_SSL_USE_VOMS_IDENTITY = true
USE_VOMS_ATTRIBUTES = True

thank you in advance
best

e.v.


From: "Maarten Litmaath" <Maarten.Litmaath@xxxxxxx>
To: "htcondor-users" <htcondor-users@xxxxxxxxxxx>, "emmanouil vamvakopoulos" <emmanouil.vamvakopoulos@xxxxxxxxxxxxxxx>
Sent: Sunday, 15 September, 2024 15:38:32
Subject: Re: how to configure voms proxies wirh ssl for mapping

Hi Emmanouil,
you need to use regex syntax like this:

SSL /\/DC=foo\/O=bar\/OU=abc\/CN=xyz,\/vo\/.*/ account

That is:

SSL /DN pattern,FQAN pattern/ account

You need to escape all '/' characters contained in those patterns,
as well as any commas appearing in them.

You can make use of regex tricks to simplify patterns and/or
allow them to match multiple cases.


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Emmanouil Vamvakopoulos <emmanouil.vamvakopoulos@xxxxxxxxxxxxxxx>
Sent: Sunday, September 15, 2024 10:08 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] how to configure voms proxies wirh ssl for mapping
 
[...]

Dear Condor developers

I saw in the condor wiki  https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToUseProxiesWithSs


....
VOMS Attributes

In HTCondor 23.5.2 and later, the CE can use VOMS attributes from the client's X.509 proxy in the mapfiles. The attributes will be appended to the end of the certificate subject, separated with commas, when looking for matches in the mapfiles. To enable this optional behavior, set the following configuration parameter:

  USE_VOMS_ATTRIBUTES = True

This will also cause some job attributes to be set containing the VOMS attributes. If you want the VOMS attributes to be added to the job ad but not be used in the mapfiles, then set the following configuration parameter as well:

  AUTH_SSL_USE_VOMS_IDENTITY = False
...

I need a working syntax example where the voms attritues are used for the mapping

thank you in advance
best
e.v.

-------------------------------------------------------------------
Vamvakopoulos Emmanouil

Service Exploitation d' IJCLab
CNRS/Università Paris-Saclay/Università de Paris
BÃt. 200, 15 rue Georges ClÃmenceau, 91405 Orsay
-------------------------------------------------------------------