Hi Manos,

This is exactly what we are trying to set up on EOS/CTA at RAL so I coud try and give a comment.

Following the XRootD 5 standard, we use the new string values for the ‘-crl’ ‘-gropt’ ‘-gmaopt’ and other options. The numerical values are there for backward compatibility (Scalla Extension: Security)

Please see our current config is below. We dont set vomsat as it is automatically set to “require” (or value 2) if the vomsfun is specified.We have set “-gmapopt:null” to make the plugin ignore the gridmap file and " -crl:require" (or -crl:3) to require an up-to-date CRL for each CA. We dont use ‘-gmapto’ and ‘-gmapopt’ options as we dont use gridmap files.

We are currently trying to figure out with our VO liaisons which of the extracted voms group memberhips (-grps option) and roles to use in the EOS vid mappings. In case of more than one extracted voms group memberhips/roles we need to decide which if these we pass to the gsi plugin via the ‘-gropt’ flag: usefirst or uselast.

I think that with your grpopt=10 (again, this value format is deprecated (as mentioned in the above link) you use the first acceptable group from your grps option (which is /dteam) that is found in your proxy which means it will use this

attribute : /dteam/Role=lcgadmin/Capability=NULL

and read/write to dirs owned by a vuid/guid that mapped to this attribute.

Hope this helps,

George

sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|grps=/atlas/uk,/cms,/dteam|grpopt=useall|dbg

sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gmapopt:null -d:1

sec.protbind * only gsi
sec.protbind *.scd.rl.ac.uk sss unix
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix