[mapping] block refactoring (documentation only)
Preface
During the call we had agreed that all auth rules in the mapping can be replaced with authgroup. E.g. famous all can be defined with:
[authgroup: all]
all = yesand than used as an authgroup name if mapping for everyone in the world is really required.
More natural way is to create more precise filter (authgroup) and use it for both mapping and authorization (e.g. allowaccess).
So essentially our conclusion - it is OK that all mapping should be done for authgroup.
Let's analyze all 3 options we have in [mapping] now: unixmap, unixgroupmap and unixlistmap.
unixgroupmap = authgroup maprule
This option technically do exactly what we conclude - it applies the mapping rules for the users that matched to authgroup specified as an argument.
Maprule is one of those hidden in the Sysadm Manual (mapfile, simplepool, mapplugin).
There is also lcmaps but it is the same as particular mapplugin (we had already removed lcas in [authgroup] for the same reason).
What you CAN'T do with unixgroupmap is to map to statically defined UNIX account.
unixmap = [unixname][:unixgroup] rule
If rule is authrule (read authgroup according to decision) - than it maps all authgroup users to the static account.
If rule is maprule - the [unixname][:unixgroup] are replaced by * and the maprules are applied for ALL users.
This is a mess and can be replaced natively by unixgroupmap with the only exception - it is not ALL but authgroup users. But we can achieve all with authgroup and have a clear config structure:
unixmap = * mapplugin ....is equivalent to
[authgroup: all]
all = yes
unixgroupmap = all mapplugin ...So the only feature that makes separate sense is a static mapping.
Suggestion: drop unixmap and instead introduce clear static mapping rule for unixgroupmap.
unixlistmap = userlist_name maprule
unixlistmap is a shortcut for userlist filtering during mapping that can be anyway accomplished with properly defined authgroup. For example:
unixlistmap = userlist_name mapping_rulesis equivalent to:
[authgroup: ulauth]
userlist = userlist_name
unixgroupmap = ulauth mapping_rulesTaking into account that userlists along with gridmapfiles are legacy this option is also removed to increase clarity.
What about gridmap?
We had already dropped gridmap for authorization purposes (require_gridmapfile is always no now).
There is file option in [authgroup] that do gridmap-based filtering.
So the only mapping part left from gridmap. But isn't it is enough to follow the common clear syntax and define the following if gridmap-based mapping is desired:
unixgroupmap = all mapfile /etc/grid-security/grid-mapfileEpilogue
Thus we have only unixgroupmap left and repeating the same option name is overkill we had decided during the meeting that mapping rules are now becomes the configuration options instead and was renamed to better reflect its purpose, e.g.
map_to_user=all nobody:nobody
map_with_file=all /etc/grid-security/gridmapfile
map_to_pool=atlas /etc/grid-security/pool/atlas
map_with_plugin=altas 30 /usr/libexec/arc/arc-lcmaps %D %P liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db arcP.S. You can read rendered HTML version here: http://manf.org.ua/mapping/user/reference.html#mapping-block