dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
this week's EGI security drill revealed something that flew under the radar, which is that the revocation entries as documented in The Book to this day actually do not have the intended effect!
Please refer to dCache RT #7834 for the full story. The short of it is, that the ban plugin was introduced precisely because no other plugin could address the need to explicitly revoke authentication of specific users/vos. Prompted by the security drill, I tried a revocation entry for the reported DN and found that gPlazma (dCache v8.2.10) ignored it. An acceptable work around for now is to map to a bogus virtual account (e.g. "ban"), for which the map session won't yield useful results.
Hello dCache.org,
this week's EGI security drill revealed something that flew under the radar, which is that the revocation entries as documented in The Book to this day actually do not have the intended effect!
Please refer to dCache RT #7834 for the full story. The short of it is, that the ban plugin was introduced precisely because no other plugin could address the need to explicitly revoke authentication of specific users/vos. Prompted by the security drill, I tried a revocation entry for the reported DN and found that gPlazma (dCache v8.2.10) ignored it. An acceptable work around for now is to map to a bogus virtual account (e.g. "ban"), for which the map session won't yield useful results.
/label documentation
Best regards, Xavier.