Closed jthiltges closed 1 year ago
Hm - I'm uncomfortable with this one. It allows mistakes access all of a sudden, right?
Marking as draft to work through an idea that Brian suggested: only treat a client as anonymous if the username lookup failed and there was no mapping done. (gmapopt:trymap resulting in a DN hash, rather than a username.)
Since it does allocate a string and do a hash map lookup, can you only do the gridmap mapping check in the failure case where you use it? Maybe peel it off as a separate static method?
That's a good idea, thanks.
I'd been thinking about turning it around: only try getpwnam()
if gridmap.name == "1"
. Otherwise consider the client as anonymous. It would keep the string allocation and hash lookup, but avoid NSS hits with DNs and DN hashes.
That'd be even better! Note that you would then need to check that this is a GSI
mapping to make sure the behavior doesn't change for other protocols.
Is this tested? If so, seems simple enough.
If this tests out fine, I’m happy with the implementation approach.
I've applied it to the production Nebraska SEs, and no issues to report. I think it's ready to consider squashing and merging.
This allows unmapped GSI clients to access data via the root protocol as an anonymous user.