search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
290 stars 136 forks source link

[The Book] Revocation entries with grid-vorolemap and gridmap plugin do not work #7095

Closed XMol closed 1 year ago

XMol commented 1 year ago

Hello dCache.org,

this week's EGI security drill revealed something that flew under the radar, which is that the revocation entries as documented in The Book to this day actually do not have the intended effect!

Please refer to dCache RT #7834 for the full story. The short of it is, that the ban plugin was introduced precisely because no other plugin could address the need to explicitly revoke authentication of specific users/vos. Prompted by the security drill, I tried a revocation entry for the reported DN and found that gPlazma (dCache v8.2.10) ignored it. An acceptable work around for now is to map to a bogus virtual account (e.g. "ban"), for which the map session won't yield useful results.

/label documentation

Best regards, Xavier.

XMol commented 1 year ago

All pull requests for the active branches have been merged.