multiple usernames per resource

7 posts / 0 new
Last post
multiple usernames per resource

Michael Shapiro reminds me that the proposed XCDB API route can return multiple usernames. A user may have multiple username at a site due to account merges and other routine AMIE actions. In the old grid-mapfile format, we'd list multiple comma-separated usernames, like:

"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Jim Basney jim.basney@ligo.org" jbasney,basneyj

I don't think the new Globus Auth map_file allows one to many mappings.

This should be addressed more clearly in the design doc.

Delivery Effort Stage: 

Correct me if I'm wrong, but I thought that we decided to forbid allowing multiple possible targets for a each authentication credential a long time ago - if only to avoid the inevitable question of which of the available targets to allow entry as.

So I'm working with Michael now (working ahead a little) on a python test mule to generate a mapfile.   I'm getting output like this (field2 is portalLogin and field4 in brackets is usernames).  Of the several thousand output lines of users, there are a handful with 2 local ids.  How to handle this ???  

46977 mcmulled MCMULLEDP ['mcmulled', 'dmcmulle']

58749 keivan ESFARJAAP ['kesfarja', 'keivan']

52572 dholabh PDHOLABHP ['dholabha', 'dholabh']

48873 jhuband HUBAND1AP ['jmh5ad', 'jhuband']

41379 wzhenlin ZWANGB1AP ['zwangb', 'zwangc']

54309 ruisun SUNR123AP ['rusun', 'ruisun']

21247 robquick RQUICK12P ['quick', 'robquick']

49486 jasonalt ALT1234AP ['jasonalt', 'jalt']

45673 glabcher VPROSHCHP ['vproshch', 'proshche']

59024 shivu UPADHYASP ['shivu', 'supadhya']

43589 shayan66 SHAMSS12P ['shamss', 'sshams']

28431 foster FOSTERI1P ['ifoster', 'fosteri']

38907 majdavis JDAVIS51P ['jdavis5', 'jdavis6']

2 local IDs at NCSA? My inclination is that these should be resolved as errors, i.e., NCSA local allocations manager determines (with user's input?) which should be mapped.

Here's what I've got so far with the test-devel python script querying Michael's new route:

lgheronmini-ofc:devel galen$ ./xdcdb.py  
testing authentication, should return 200...

{'message': None, 'result': None}
generating mapfile ...

bridges.psc.xsede
PSC
46977 mcmulled MCMULLEDP ['mcmulled', 'dmcmulle']
58749 keivan ESFARJAAP ['kesfarja', 'keivan']
52572 dholabh PDHOLABHP ['dholabha', 'dholabh']
48873 jhuband HUBAND1AP ['jmh5ad', 'jhuband']
41379 wzhenlin ZWANGB1AP ['zwangb', 'zwangc']
54309 ruisun SUNR123AP ['rusun', 'ruisun']
21247 robquick RQUICK12P ['quick', 'robquick']
49486 jasonalt ALT1234AP ['jasonalt', 'jalt']
45673 glabcher VPROSHCHP ['vproshch', 'proshche']
59024 shivu UPADHYASP ['shivu', 'supadhya']
43589 shayan66 SHAMSS12P ['shamss', 'sshams']
28431 foster FOSTERI1P ['ifoster', 'fosteri']
38907 majdavis JDAVIS51P ['jdavis5', 'jdavis6']
mapfile lines written: 10956

lgheronmini-ofc:devel galen$ head -10 mapfile
boya66@xsede.org boya66
yashshah@xsede.org yshah
mdk@xsede.org mdk
lifei@xsede.org lifei
gsalman@xsede.org gsalman
faridk@xsede.org faridk
sudhar11@xsede.org sudhar11
brodwill@xsede.org brodwill
mmehrabi@xsede.org mmehrabi
boothsl@xsede.org boothsl

I suspect other sites also have these 2-local-id artifacts. At the moment, the script just emits the multi-local-id lines to stdout and doesn't add them to the mapfile. I'm only populating the mapfile when the mapping is 1:1 portalLogin:username .

There's no real pattern emerging for the multiple usernames. Sometimes the 1st is real, or the 2nd is real, or none are real (dholabh*). Here's a case where both of the local ids are valid:

[arnoldg@br005 ~]$ finger quick
Login: quick
Name: Robert Quick
Directory: /home/quick
Shell: /usr/psc/shells/bash
Never logged in. No mail. No Plan.

Login: robquick
Name: Robert Quick
Directory: /home/robquick
Shell: /usr/psc/shells/bash
Never logged in. No mail. No Plan.

The XDCDB allows a user to have multiple usernames on a resource. This is not an error. This can (and does) happen when duplicate people are merged into a single person. All of the usernames for both people are retained for the final merged person.

If sites do not want a given person to have more than one username, it is up to them to select a username and inform the XDCDB which username is to be retained -- they can do this via AMIE or via tickets. To date, very few requests to cleanup the usernames have been made. The usernames are needed for usage loading and a given person with multiple usernames may runs jobs under any of the usernames and the XDCDB must allow for that, hence we keep multiple usernames.

Log in to post comments