Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] How to write X.509 map file and unified map file
- Date: Fri, 19 Oct 2018 19:30:44 +0000
- From: Zach Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] How to write X.509 map file and unified map file
Hi Marco,
Prior to 8.5.8 all keys were assumed to be regexes. This is both slower and less secure, so now if you set CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS=true then they are treated as literals UNLESS they start and end with a '/' (single forward slash).
So your examples DO depend on the setting of CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS. If false (the default) they are interpreted as regexes. If true, they will be interpreted as literals (and the first of your examples with the ^ and $ will not match.)
Assuming you have CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS unset or set to false, then they would both match. Although it is not necessary to quote the forward slashes or equal signs, I believe PCRE ignores the extra quoting characters and treats \= as just an = and the same for the slash.
Then also:
> And 2 more questions:
> - About CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS, if that is set to true and the regex includes spaces, do the quotes (") have to be outside or inside the "/"at the beginning and end?
In the two examples you sent, there isn't a / at the end. But just to clarify: If CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is true then only if the key starts and ends with / will it be treated as a regex. In that case, you don't need quotes at all.
> - Is the behavior of the DNs in the X.509 map (GSS_ASSIST_GRIDMAP) the same?
No. That file is parsed by the globus utilities and HTCondor has no control over that. Nor do they support regexes as far as I know.
Let me know if I can clarify anything!
Cheers,
-zach
ïOn 10/17/18, 5:34 PM, "HTCondor-users on behalf of Marco Mambelli" <htcondor-users-bounces@xxxxxxxxxxx on behalf of marcom@xxxxxxxx> wrote:
Hi all,
the current HTCondor unified map files we use and suggest in GlideinWMS, we have a lot of escaped characters in the the DN specification.
in the manual (8.6) I found that a quoted string is sufficient and it seems there is no need for any escaping:
3.8.3.1 GSI Authentication and in http://research.cs.wisc.edu/htcondor/manual/v8.6/3_8Security.html
Is this happening only when CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS is true?
I.e. Are these 2 equivalent? Does it depend on the setting of CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS?
GSI "^\/DC\=org\/DC\=opensciencegrid\/O\=Open\ Science\ Grid\/OU\=Services\/CN\=gwms\-host\.fnal\.gov$" vofrontend_service
GSI "/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=gwms-host.fnal.gov" vofrontend_service
For PCRE the characters to escape are ".^$*+?()[{\|", in the example above we are escaping even more, e.g. spaces. I guess it is not hurting nut is not necessary, correct?
And 2 more questions:
- About CERTIFICATE_MAPFILE_ASSUME_HASH_KEYS, if that is set to true and the regex includes spaces, do the quotes (") have to be outside or inside the "/"at the beginning and end?
- Is the behavior of the DNs in the X.509 map (GSS_ASSIST_GRIDMAP) the same?
Thank you,
Marco
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/