Grid Community Toolkit
6.2.1705709074 (tag: v6.2.20240202)
|
Gridmap Authorization and Local User Mapping. More...
Macros | |
#define | GlobusGssAssistFreeDNArray(dn_a) |
Free array of distinguished names. More... | |
Functions | |
int | globus_gss_assist_gridmap (char *globusidp, char **useridp) |
Look up the default mapping for a Grid identity in a gridmap file. More... | |
int | globus_gss_assist_userok (char *globusid, char *userid) |
Gridmap entry existence check. More... | |
int | globus_gss_assist_map_local_user (char *local_user, char **globusidp) |
Look up the default Grid identity associated with a local user name. More... | |
globus_result_t | globus_gss_assist_lookup_all_globusid (char *username, char **dns[], int *dn_count) |
Look up all Grid IDs associated with a local user ID. More... | |
globus_result_t | globus_gss_assist_map_and_authorize (gss_ctx_id_t context, char *service, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length) |
Authorize the peer of a security context to use a service. More... | |
globus_result_t | globus_gss_assist_map_and_authorize_sharing (char *shared_user_certificate, gss_ctx_id_t context, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length) |
Authorize a particular credential for shared access. More... | |
Gridmap Authorization and Local User Mapping.
Functions in this group are used to authorize a GSSAPI credential to perform some action on the local machine. In addition to checking whether a credential is authorized, it can also be mapped to a local user name.
#define GlobusGssAssistFreeDNArray | ( | dn_a | ) |
Free array of distinguished names.
Free the contents of a name array created during a successful call to globus_gss_assist_lookup_all_globusid()
dn_a | Array of names to free. |
void |
int globus_gss_assist_gridmap | ( | char * | globusidp, |
char ** | useridp | ||
) |
Look up the default mapping for a Grid identity in a gridmap file.
The globus_gss_assist_gridmap() function parses the default gridmap file and modifies its useridp parameter to point to a copy of the string containing the default local identity that the grid identity is mapped to. If successful, the caller is responsible for freeing the string pointed to by useridp.
By default, globus_gss_assist_gridmap() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
globusidp | The GSSAPI name string of the identity who requested authorization |
useridp | A pointer to a string to be set to the default user ID for the local system. No validation is done to check that such a user exists. |
GLOBUS_SUCCESS | Success |
1 | Error |
globus_result_t globus_gss_assist_lookup_all_globusid | ( | char * | username, |
char ** | dns[], | ||
int * | dn_count | ||
) |
Look up all Grid IDs associated with a local user ID.
The globus_gss_assist_lookup_all_globusid() function parses a gridmap file and finds all Grid IDs that map to a local user ID. The dns parameter is modified to point to an array of Grid ID strings from the gridmap file, and the dn_count parameter is modified to point to the number of Grid ID strings in the array. The caller is responsible for freeing the array using the macro GlobusGssAssistFreeDNArray().
By default, globus_gss_assist_lookup_all_globusid() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
username | The local username to look up in the gridmap file. |
dns | A pointer to an array of strings. This function modifies this to point to a newly allocated array of strings. The caller must use the macro GlobusGssAssistFreeDNArray() to free this memory. |
dn_count | A pointer to an integer that is modified to contain the number of entries in the array returned via the dns parameter. |
GLOBUS_SUCCESS | Success |
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_ARGUMENTS | Error with arguments |
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_GRIDMAP | Invalid path to gridmap |
GLOBUS_GSI_GSS_ASSIST_ERROR_ERRNO | System error |
globus_result_t globus_gss_assist_map_and_authorize | ( | gss_ctx_id_t | context, |
char * | service, | ||
char * | desired_identity, | ||
char * | identity_buffer, | ||
unsigned int | identity_buffer_length | ||
) |
Authorize the peer of a security context to use a service.
The globus_gss_assist_map_and_authorize() function attempts to authorize the peer of a security context to use a particular service. If the desired_identity parameter is non-NULL, the authorization will succeed only if the peer is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.
If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.
If globus_gss_assist_map_and_authorize() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
context | Security context to inspect for peer identity information. |
service | A NULL-terminated string containing the name of the service that an authorization decision is being made for. |
desired_identity | Optional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string. |
identity_buffer | A pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as. |
identity_buffer_length | Length of the identity_buffer array. |
GLOBUS_SUCCESS | Success |
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIG | Invalid authorization configuration file |
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLE | Hash table operation failed. |
GLOBUS_CALLOUT_ERROR_CALLOUT_ERROR | The callout itself returned a error. |
GLOBUS_CALLOUT_ERROR_WITH_DL | Dynamic library operation failed. |
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORY | Out of memory |
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERROR | A GSSAPI function returned an error |
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILED | Gridmap lookup failure |
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALL | Caller provided insufficient buffer space for local identity |
globus_result_t globus_gss_assist_map_and_authorize_sharing | ( | char * | shared_user_certificate, |
gss_ctx_id_t | context, | ||
char * | desired_identity, | ||
char * | identity_buffer, | ||
unsigned int | identity_buffer_length | ||
) |
Authorize a particular credential for shared access.
The globus_gss_assist_map_and_authorize_sharing() function attempts to authorize a particular credential for shared access. the desired_identity parameter is non-NULL, the authorization will succeed only if the credential is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.
If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize_sharing() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.
If globus_gss_assist_map_and_authorize_sharing() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
shared_user_certificate | cert and cert chain of user that owns the resources to be shared, in PEM format. This will be parsed to find the identity that should be mapped. |
context | Security context of the underlying connection. This should generally be ignored. |
desired_identity | Optional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string. |
identity_buffer | A pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as. |
identity_buffer_length | Length of the identity_buffer array. |
GLOBUS_SUCCESS | Success |
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIG | Invalid authorization configuration file |
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLE | Hash table operation failed. |
GLOBUS_CALLOUT_ERROR_CALLOUT_ERROR | The callout itself returned a error. |
GLOBUS_CALLOUT_ERROR_WITH_DL | Dynamic library operation failed. |
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORY | Out of memory |
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERROR | A GSSAPI function returned an error |
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILED | Gridmap lookup failure |
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALL | Caller provided insufficient buffer space for local identity |
int globus_gss_assist_map_local_user | ( | char * | local_user, |
char ** | globusidp | ||
) |
Look up the default Grid identity associated with a local user name.
The globus_gss_assist_map_local_user() function parses the gridmap file to determine a if the user name passed as the local_user parameter is the default local user for a Grid ID in the gridmap file. If so, it modifies globusidp to point to a copy of that ID. Otherwise, it searches the gridmap file for a Grid ID that has a non-default mapping for local_user and modifies globusidp to point to a copy of that ID. If successful, the caller is responsible for freeing the string pointed to by the globusidp pointer.
By default, globus_gss_assist_map_local_user() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
local_user | The local username to find a Grid ID for |
globusidp | A Grid ID that maps from the local_user. |
GLOBUS_SUCCESS | Success |
1 | Error |
int globus_gss_assist_userok | ( | char * | globusid, |
char * | userid | ||
) |
Gridmap entry existence check.
The globus_gss_assist_userok() function parses the default gridmap file and checks whether any mapping exists for the grid identity passed as the globusid parameter and the local user identity passed as the @ userid parameter.
By default, globus_gss_assist_userok() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.
globusid | The GSSAPI name string of the identity who requested authorization |
userid | The local account name that access is sought for. |
GLOBUS_SUCCESS | Success |
1 | Error |