I'm afraid this is going to be technical.
For the last month or so - in the gaps between holidays, meetings and dealing with a power-glitch that has knocked-out some rather important bits of ngs.leeds.ac.uk - I've been working on the
ngs-vo-tool.
The ngs-vo-tool
is a utility program that
does the tweaking and fiddling needed when adding or removing support for all, or part, of a particular Virtual Organisation (VO).
One of the things the
ngs-vo-tool needs to tweak and fiddle is the LCMAPS version of the gridmapfile. This controls how which bits of of which VO get assigned to which local accounts and consists of entries like...
"/training.ngs.ac.uk/*" .ngstrain
"/monitoring.ngs.ac.uk/lcas_lcmaps/*" .ngsmon
This particular example assigns anyone in the NGS's Training VO to an account in the 'ngstrain' pool but only members of the 'lcas_lcmaps'
group within the NGS Monitoring VO to the ngsmon pool.
Groups can contain
subgroups. You can also cherry-pick VO members with a particular
role or a particular
capability.Among the last features due to be added to
ngs-vo-tool is one to allow any combination of group/role/capability to specified and have this turned into something fit for an LCMAPS gridmapfile.
As always, it is not a simple as it first appears.
The bit in quotes is a pattern that matches a Fully Qualified Attribute Name (FQAN).
The FQAN is a representation of VO, group, subgroup, role and capability defined in
http://edg-wp2.web.cern.ch/edg-wp2/security/voms/edg-voms-credential.pdf as
/VO[/group[/subgroup(s)]][/Role=role][/Capability=cap]
with the additional complication is that the FQAN for a VO member with no role can either omit the Role=role bit or explicitly include 'Role=NULL'.
So in order for the code to do the right thing, I need to work out..
- What the LCMAPS uses to match a pattern to a string. In particular, is it fussy about where the '*' can be placed and how many '*'s can be used.
- How the FQAN is constructed.
and do this for the slightly elderly version of LCMAPS that some NGS sites have deployed.
So a spot of source code archeology is required and luckily, I don't need to dig too deep as CERN kindly provide access to their source code repository on the web.
The LCMAPS code, and the rest of the gLite code, can be found at
http://jra1mw.cvs.cern.ch. Released versions are even conveniently 'tagged' with the version number at that release - allowing the incurably geeky to
jump directly to the relevant files.
This is work in progress. So far, I've worked out that the venerable Unix
fnmatch function is used to match the pattern to the string and fnmatch allows '*'s to be used anywhere.
The exact details of FQAN construction are still buried somewhere but suitable fnmatch patterns should cope with the many variants of Role.
The code is in our local version control system. It will be copied to the source code repository at NeSCForge as soon as the important bits of ngs.leeds.ac.uk are back in service.