bbockelm
commented
1 year ago Hm - I'm uncomfortable with this one. It allows mistakes access all of a sudden, right?
Closed jthiltges closed 1 year ago
bbockelm
commented
1 year ago Hm - I'm uncomfortable with this one. It allows mistakes access all of a sudden, right?
jthiltges
commented
1 year ago Marking as draft to work through an idea that Brian suggested: only treat a client as anonymous if the username lookup failed and there was no mapping done. (gmapopt:trymap resulting in a DN hash, rather than a username.)
bbockelm
commented
1 year ago Since it does allocate a string and do a hash map lookup, can you only do the gridmap mapping check in the failure case where you use it? Maybe peel it off as a separate static method?
jthiltges
commented
1 year ago That's a good idea, thanks.
I'd been thinking about turning it around: only try getpwnam() if gridmap.name == "1". Otherwise consider the client as anonymous. It would keep the string allocation and hash lookup, but avoid NSS hits with DNs and DN hashes.
bbockelm
commented
1 year ago That'd be even better! Note that you would then need to check that this is a GSI mapping to make sure the behavior doesn't change for other protocols.
djw8605
commented
1 year ago Is this tested? If so, seems simple enough.
bbockelm
commented
1 year ago If this tests out fine, I’m happy with the implementation approach.
jthiltges
commented
1 year ago I've applied it to the production Nebraska SEs, and no issues to report. I think it's ready to consider squashing and merging.
This allows unmapped GSI clients to access data via the root protocol as an anonymous user.