Michael Shapiro reminds me that the proposed XCDB API route can return multiple usernames. A user may have multiple username at a site due to account merges and other routine AMIE actions. In the old grid-mapfile format, we'd list multiple comma-separated usernames, like:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Jim Basney email@example.com" jbasney,basneyj
I don't think the new Globus Auth map_file allows one to many mappings.
This should be addressed more clearly in the design doc.
Correct me if I'm wrong, but I thought that we decided to forbid allowing multiple possible targets for a each authentication credential a long time ago - if only to avoid the inevitable question of which of the available targets to allow entry as.
So I'm working with Michael now (working ahead a little) on a python test mule to generate a mapfile. I'm getting output like this (field2 is portalLogin and field4 in brackets is usernames). Of the several thousand output lines of users, there are a handful with 2 local ids. How to handle this ???
46977 mcmulled MCMULLEDP ['mcmulled', 'dmcmulle']
58749 keivan ESFARJAAP ['kesfarja', 'keivan']
52572 dholabh PDHOLABHP ['dholabha', 'dholabh']
48873 jhuband HUBAND1AP ['jmh5ad', 'jhuband']
41379 wzhenlin ZWANGB1AP ['zwangb', 'zwangc']
54309 ruisun SUNR123AP ['rusun', 'ruisun']
21247 robquick RQUICK12P ['quick', 'robquick']
49486 jasonalt ALT1234AP ['jasonalt', 'jalt']
45673 glabcher VPROSHCHP ['vproshch', 'proshche']
59024 shivu UPADHYASP ['shivu', 'supadhya']
43589 shayan66 SHAMSS12P ['shamss', 'sshams']
28431 foster FOSTERI1P ['ifoster', 'fosteri']
38907 majdavis JDAVIS51P ['jdavis5', 'jdavis6']
2 local IDs at NCSA? My inclination is that these should be resolved as errors, i.e., NCSA local allocations manager determines (with user's input?) which should be mapped.
Here's what I've got so far with the test-devel python script querying Michael's new route:
I suspect other sites also have these 2-local-id artifacts. At the moment, the script just emits the multi-local-id lines to stdout and doesn't add them to the mapfile. I'm only populating the mapfile when the mapping is 1:1 portalLogin:username .
There's no real pattern emerging for the multiple usernames. Sometimes the 1st is real, or the 2nd is real, or none are real (dholabh*). Here's a case where both of the local ids are valid:
The XDCDB allows a user to have multiple usernames on a resource. This is not an error. This can (and does) happen when duplicate people are merged into a single person. All of the usernames for both people are retained for the final merged person.
If sites do not want a given person to have more than one username, it is up to them to select a username and inform the XDCDB which username is to be retained -- they can do this via AMIE or via tickets. To date, very few requests to cleanup the usernames have been made. The usernames are needed for usage loading and a given person with multiple usernames may runs jobs under any of the usernames and the XDCDB must allow for that, hence we keep multiple usernames.