[mapping] block refactoring (documentation only)
This merge request is automatically copied from !409 (merged) orginally made by @andrii
End arcbot message
Preface
Begin arcbot messageDuring the call we had agreed that all auth rules in the mapping can be replaced with authgroup
. E.g. famous all
can be defined with:
[authgroup: all]
all = yes
and than used as an authgroup name if mapping for everyone in the world is really required.
More natural way is to create more precise filter (authgroup) and use it for both mapping and authorization (e.g. allowaccess
).
So essentially our conclusion - it is OK that all mapping should be done for authgroup
.
Let's analyze all 3 options we have in [mapping]
now: unixmap
, unixgroupmap
and unixlistmap
.
unixgroupmap = authgroup maprule
This option technically do exactly what we conclude - it applies the mapping rules for the users that matched to authgroup
specified as an argument.
Maprule is one of those hidden in the Sysadm Manual (mapfile
, simplepool
, mapplugin
).
There is also lcmaps
but it is the same as particular mapplugin
(we had already removed lcas
in [authgroup]
for the same reason).
What you CAN'T do with unixgroupmap
is to map to statically defined UNIX account.
unixmap = [unixname][:unixgroup] rule
If rule is authrule (read authgroup
according to decision) - than it maps all authgroup
users to the static account.
If rule is maprule - the [unixname][:unixgroup]
are replaced by *
and the maprules are applied for ALL users.
This is a mess and can be replaced natively by unixgroupmap
with the only exception - it is not ALL but authgroup
users. But we can achieve all
with authgroup
and have a clear config structure:
unixmap = * mapplugin ....
is equivalent to
[authgroup: all]
all = yes
unixgroupmap = all mapplugin ...
So the only feature that makes separate sense is a static mapping.
Suggestion: drop unixmap
and instead introduce clear static mapping rule for unixgroupmap
.
unixlistmap = userlist_name maprule
unixlistmap
is a shortcut for userlist
filtering during mapping that can be anyway accomplished with properly defined authgroup
. For example:
unixlistmap = userlist_name mapping_rules
is equivalent to:
[authgroup: ulauth]
userlist = userlist_name
unixgroupmap = ulauth mapping_rules
Taking into account that userlists
along with gridmapfiles are legacy this option is also removed to increase clarity.
What about gridmap?
We had already dropped gridmap
for authorization purposes (require_gridmapfile
is always no
now).
There is file
option in [authgroup]
that do gridmap-based filtering.
So the only mapping part left from gridmap
. But isn't it is enough to follow the common clear syntax and define the following if gridmap-based mapping is desired:
unixgroupmap = all mapfile /etc/grid-security/grid-mapfile
Epilogue
Thus we have only unixgroupmap
left and repeating the same option name is overkill we had decided during the meeting that mapping rules are now becomes the configuration options instead and was renamed to better reflect its purpose, e.g.
map_to_user=all nobody:nobody
map_with_file=all /etc/grid-security/gridmapfile
map_to_pool=atlas /etc/grid-security/pool/atlas
map_with_plugin=altas 30 /usr/libexec/arc/arc-lcmaps %D %P liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db arc
P.S. You can read rendered HTML version here: http://manf.org.ua/mapping/user/reference.html#mapping-block