Grid Community Toolkit  6.2.1705709074 (tag: v6.2.20240202)
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Macros | Functions
Gridmap Authorization

Gridmap Authorization and Local User Mapping. More...

Macros

#define GlobusGssAssistFreeDNArray(dn_a)
 Free array of distinguished names. More...
 

Functions

int globus_gss_assist_gridmap (char *globusidp, char **useridp)
 Look up the default mapping for a Grid identity in a gridmap file. More...
 
int globus_gss_assist_userok (char *globusid, char *userid)
 Gridmap entry existence check. More...
 
int globus_gss_assist_map_local_user (char *local_user, char **globusidp)
 Look up the default Grid identity associated with a local user name. More...
 
globus_result_t globus_gss_assist_lookup_all_globusid (char *username, char **dns[], int *dn_count)
 Look up all Grid IDs associated with a local user ID. More...
 
globus_result_t globus_gss_assist_map_and_authorize (gss_ctx_id_t context, char *service, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length)
 Authorize the peer of a security context to use a service. More...
 
globus_result_t globus_gss_assist_map_and_authorize_sharing (char *shared_user_certificate, gss_ctx_id_t context, char *desired_identity, char *identity_buffer, unsigned int identity_buffer_length)
 Authorize a particular credential for shared access. More...
 

Detailed Description

Gridmap Authorization and Local User Mapping.

Functions in this group are used to authorize a GSSAPI credential to perform some action on the local machine. In addition to checking whether a credential is authorized, it can also be mapped to a local user name.

Macro Definition Documentation

#define GlobusGssAssistFreeDNArray (   dn_a)

Free array of distinguished names.

Free the contents of a name array created during a successful call to globus_gss_assist_lookup_all_globusid()

Parameters
dn_aArray of names to free.
Return values
void

Function Documentation

int globus_gss_assist_gridmap ( char *  globusidp,
char **  useridp 
)

Look up the default mapping for a Grid identity in a gridmap file.

The globus_gss_assist_gridmap() function parses the default gridmap file and modifies its useridp parameter to point to a copy of the string containing the default local identity that the grid identity is mapped to. If successful, the caller is responsible for freeing the string pointed to by useridp.

By default, globus_gss_assist_gridmap() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
globusidpThe GSSAPI name string of the identity who requested authorization
useridpA pointer to a string to be set to the default user ID for the local system. No validation is done to check that such a user exists.
Returns
On success, globus_gss_assist_gridmap() returns 0 and modifies the the string pointed to by the useridp parameter. If an error occurs, a non-zero value is returned and the value pointed to by useridp is undefined.
Return values
GLOBUS_SUCCESSSuccess
1Error
globus_result_t globus_gss_assist_lookup_all_globusid ( char *  username,
char **  dns[],
int *  dn_count 
)

Look up all Grid IDs associated with a local user ID.

The globus_gss_assist_lookup_all_globusid() function parses a gridmap file and finds all Grid IDs that map to a local user ID. The dns parameter is modified to point to an array of Grid ID strings from the gridmap file, and the dn_count parameter is modified to point to the number of Grid ID strings in the array. The caller is responsible for freeing the array using the macro GlobusGssAssistFreeDNArray().

By default, globus_gss_assist_lookup_all_globusid() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
usernameThe local username to look up in the gridmap file.
dnsA pointer to an array of strings. This function modifies this to point to a newly allocated array of strings. The caller must use the macro GlobusGssAssistFreeDNArray() to free this memory.
dn_countA pointer to an integer that is modified to contain the number of entries in the array returned via the dns parameter.
Returns
On success, globus_gss_assist_lookup_all_globusid() returns GLOBUS_SUCCESS and modifies its dns and dn_count parameters as described above. If an error occurs, globus_gss_assist_lookup_all_globusid() returns a globus_result_t that can be resolved to an error object and the values pointed to by dns and dn_count are undefined.
Return values
GLOBUS_SUCCESSSuccess
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_ARGUMENTSError with arguments
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_GRIDMAPInvalid path to gridmap
GLOBUS_GSI_GSS_ASSIST_ERROR_ERRNOSystem error
globus_result_t globus_gss_assist_map_and_authorize ( gss_ctx_id_t  context,
char *  service,
char *  desired_identity,
char *  identity_buffer,
unsigned int  identity_buffer_length 
)

Authorize the peer of a security context to use a service.

The globus_gss_assist_map_and_authorize() function attempts to authorize the peer of a security context to use a particular service. If the desired_identity parameter is non-NULL, the authorization will succeed only if the peer is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.

If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.

If globus_gss_assist_map_and_authorize() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
contextSecurity context to inspect for peer identity information.
serviceA NULL-terminated string containing the name of the service that an authorization decision is being made for.
desired_identityOptional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string.
identity_bufferA pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as.
identity_buffer_lengthLength of the identity_buffer array.
Returns
On success, globus_gss_assist_map_and_authorize() returns GLOBUS_SUCCESS and copies the authorized local identity to the identity_buffer parameter. If an error occurs, globus_gss_assist_map_and_authorize() returns a globus_result_t that can be resolved to an error object.
Return values
GLOBUS_SUCCESSSuccess
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIGInvalid authorization configuration file
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLEHash table operation failed.
GLOBUS_CALLOUT_ERROR_CALLOUT_ERRORThe callout itself returned a error.
GLOBUS_CALLOUT_ERROR_WITH_DLDynamic library operation failed.
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORYOut of memory
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERRORA GSSAPI function returned an error
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILEDGridmap lookup failure
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALLCaller provided insufficient buffer space for local identity
globus_result_t globus_gss_assist_map_and_authorize_sharing ( char *  shared_user_certificate,
gss_ctx_id_t  context,
char *  desired_identity,
char *  identity_buffer,
unsigned int  identity_buffer_length 
)

Authorize a particular credential for shared access.

The globus_gss_assist_map_and_authorize_sharing() function attempts to authorize a particular credential for shared access. the desired_identity parameter is non-NULL, the authorization will succeed only if the credential is authorized for that identity. Otherwise, any valid authorized local user name will be used. If authorized, the local user name will be copied to the string pointed to by the identity_buffer parameter, which must be at least as long as the value passed as the identity_buffer_length parameter.

If authorization callouts are defined in the callout configuration file, globus_gss_assist_map_and_authorize_sharing() will invoke both the GLOBUS_GENERIC_MAPPING_TYPE callout and the GLOBUS_GENERIC_AUTHZ_TYPE callout; otherwise the default gridmap file will be used for mapping and no service-specific authorization will be done.

If globus_gss_assist_map_and_authorize_sharing() uses a gridmap file, it first looks for a file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
shared_user_certificatecert and cert chain of user that owns the resources to be shared, in PEM format. This will be parsed to find the identity that should be mapped.
contextSecurity context of the underlying connection. This should generally be ignored.
desired_identityOptional. If non-NULL, perform an authorization to act as the local user named by this NULL-terminated string.
identity_bufferA pointer to a string buffer into which will be copied the local user name that the peer of the context is authorized to act as.
identity_buffer_lengthLength of the identity_buffer array.
Returns
On success, globus_gss_assist_map_and_authorize_sharing() returns GLOBUS_SUCCESS and copies the authorized local identity to the identity_buffer parameter. If an error occurs, globus_gss_assist_map_and_authorize_sharing() returns a globus_result_t that can be resolved to an error object.
Return values
GLOBUS_SUCCESSSuccess
GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_CALLOUT_CONFIGInvalid authorization configuration file
GLOBUS_CALLOUT_ERROR_WITH_HASHTABLEHash table operation failed.
GLOBUS_CALLOUT_ERROR_CALLOUT_ERRORThe callout itself returned a error.
GLOBUS_CALLOUT_ERROR_WITH_DLDynamic library operation failed.
GLOBUS_CALLOUT_ERROR_OUT_OF_MEMORYOut of memory
GLOBUS_GSI_GSS_ASSIST_GSSAPI_ERRORA GSSAPI function returned an error
GLOBUS_GSI_GSS_ASSIST_GRIDMAP_LOOKUP_FAILEDGridmap lookup failure
GLOBUS_GSI_GSS_ASSIST_BUFFER_TOO_SMALLCaller provided insufficient buffer space for local identity
int globus_gss_assist_map_local_user ( char *  local_user,
char **  globusidp 
)

Look up the default Grid identity associated with a local user name.

The globus_gss_assist_map_local_user() function parses the gridmap file to determine a if the user name passed as the local_user parameter is the default local user for a Grid ID in the gridmap file. If so, it modifies globusidp to point to a copy of that ID. Otherwise, it searches the gridmap file for a Grid ID that has a non-default mapping for local_user and modifies globusidp to point to a copy of that ID. If successful, the caller is responsible for freeing the string pointed to by the globusidp pointer.

By default, globus_gss_assist_map_local_user() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
local_userThe local username to find a Grid ID for
globusidpA Grid ID that maps from the local_user.
Returns
On success, globus_gss_assist_map_local_user() returns 0 and modifies globusidp to point to a Grid ID that maps to local_user; otherwise, globus_gss_assist_map_local_user() returns 1 and the value pointed to by globusidp is undefined.
Return values
GLOBUS_SUCCESSSuccess
1Error
int globus_gss_assist_userok ( char *  globusid,
char *  userid 
)

Gridmap entry existence check.

The globus_gss_assist_userok() function parses the default gridmap file and checks whether any mapping exists for the grid identity passed as the globusid parameter and the local user identity passed as the @ userid parameter.

By default, globus_gss_assist_userok() looks for the default gridmap file defined by the value of the GRIDMAP environment variable. If that is not set, it falls back to $HOME/.gridmap.

Parameters
globusidThe GSSAPI name string of the identity who requested authorization
useridThe local account name that access is sought for.
Returns
If globus_gss_assist_userok() is able to find a mapping between globusid and userid, it returns 0; otherwise it returns 1.
Return values
GLOBUS_SUCCESSSuccess
1Error