Hi Stephen,
>> voname:group
>> /voname:group
>> /voname/*:group
>>
>> This is an overspecification and dealing with it in l-i-d-s
>> means I have to choose some interpretation for the above, it
>> is ambiguous.
>
> I don't think that's exactly true. The first one is not VOMS-specific,
> it just says "the whole VO" however that gets defined, e.g. via the LDAP
> servers in the old days. The other two refer specifically to VOMS FQANs,
> but I think are still different in that (someone correct me if I'm
> wrong!) they only relate to the primary FQAN, so /atlas only matches a
> proxy where the primary FQAN is /atlas, whereas /atlas/* matches any
> atlas proxy since all atlas FQANs start with /atlas.
I do not think /atlas/* will or should match any ATLAS proxy here.
In the grid- and groupmapfile for LCAS/LCMAPS it happens to work,
but that is by accident, due to the code still considering the full
FQAN as it appears in the proxy, even if the role is NULL and should
not have appeared at all:
/atlas/Role=NULL/Capability=NULL
That string matches /atlas/*, but the idea is that one day the short
format will become the default:
/atlas
That string does not match the wildcard.
|