VOMS2CSAgent: support of IAM nested groups

[arrabito]

In CTAO we are defining IAM groups with the following structure:

       ctao.dpps.test/dpps/user
       ctao.dpps.test/dpps/pipelines
       ctao.dpps.testdpps/pipelines/user
       ctao.dpps.test/dpps/pipelines/manager
       ctao.dpps.test/dpps/dataquality/user

etc.

However this nested structure doesn't seem to be supported by the VOMS2CSAgent, see the log below:

2026-03-20T17:24:51,868663Z Configuration/VOMS2CSAgent/VOMS2CSSynchronizer [139646936368960] DEBUG: {'/CN=DPPS User': {'CA': '/CN=DPPS Development CA', 'nickname': 'test-user', 'certSuspended': False, 'suspended': False, 'mail': 'dpps@test.example', 'Roles': ['/ctao.dpps.test/Role=dpps/Role=pipelines/Role=user', '/ctao.dpps.test/Role=dpps/Role=user', '/ctao.dpps.test/Role=dpps/Role=dataquality/Role=user', '/ctao.dpps.test', '/ctao.dpps.test/Role=dpps/Role=archive/Role=user']}}

Do you think that we could modify the VOMS2CSAgent behaviour to support this structure?

[arrabito]

@natthan-pigoux @maxnoe

[chaen]

I don't understand what behavior do you want ?
The debug message shows what I would expect.
I think @marianne013 also had something with groups. Is it the same ?

[maxnoe]

The debug message shows what I would expect.

The dpps group is not a voms role and you cannot get a voms proxy with the string produced by the dirac agent here, take e.g. this one:

'/ctao.dpps.test/Role=dpps/Role=pipelines/Role=user'

Neither dpps, nor pipelines are voms roles. These are intermediate groups. The only valid voms role is user, I.e. this voms-proxy-request works (and contains the string I woudl expect in the dirac output):

voms-proxy-init -voms 'ctao.dpps.test:/ctao.dpps.test/dpps/Role=user'

for ctao.dpps.test/dpps/user where user has the voms.role group label in IAM.

As does (one more level of nesting):

voms-proxy-init -voms 'ctao.dpps.test:/ctao.dpps.test/dpps/pipelines/Role=user'

for ctao.dpps.test/dpps/pipelines/user where again user has the voms.role group label in IAM.

[maxnoe]

Demo in our test environment:

Expected voms string, works:

[root@bdms-pytest bdms]# voms-proxy-init2 -voms ctao.dpps.test:/ctao.dpps.test/dpps/Role=user -cert /opt/rucio/etc/usercert.pem -key /opt/rucio/etc/userkey.pem
Your identity: /CN=DPPS User
Contacting voms.test.example:443 [CN=voms.test.example] "ctao.dpps.test"... Done

Created proxy in /tmp/x509up_u0.

Your proxy is valid until Wed Mar 25 21:38:30 2026 UTC

[root@bdms-pytest bdms]# voms-proxy-info --all
subject   : /CN=DPPS User/CN=2035669422
issuer    : /CN=DPPS User
identity  : /CN=DPPS User
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u0
timeleft  : 11:59:53
key usage : Digital Signature, Key Encipherment
=== VO ctao.dpps.test extension information ===
VO        : ctao.dpps.test
subject   : /CN=DPPS User
issuer    : /CN=voms.test.example
attribute : /ctao.dpps.test/dpps/Role=user/Capability=NULL
attribute : /ctao.dpps.test/Role=NULL/Capability=NULL
timeleft  : 11:59:53
uri       : voms.test.example:8080

voms string created by the DIRAC sync, fails:

[root@bdms-pytest bdms]# voms-proxy-init2 -voms ctao.dpps.test:/ctao.dpps.test/Role=dpps/Role=user -cert /opt/rucio/etc/usercert.pem -key /opt/rucio/etc/userkey.pem
Your identity: /CN=DPPS User
Contacting voms.test.example:443 [CN=voms.test.example] "ctao.dpps.test"... Failed

Error: Cannot find file or dir: /root/.glite/vomses

None of the contacted servers for ctao.dpps.test were capable of returning a valid AC for the user.

[chaen]

OK I see, what you effectively need is just the last part of your group to have the Role= in front ?

ctao.dpps.test/dpps/user -> ctao.dpps.test/dpps/Role=user
ctao.dpps.test/dpps/pipelines -> ctao.dpps.test/dpps/Role=pipelines
ctao.dpps.testdpps/pipelines/user -> ctao.dpps.testdpps/pipelines/Role=user
ctao.dpps.test/dpps/pipelines/manager -> ctao.dpps.test/dpps/pipelines/Role=manager
ctao.dpps.test/dpps/dataquality/user -> ctao.dpps.test/dpps/dataquality/Role=user

Is that correct ?
If so, I would guess the problem would be here from the top of my mind, and I don't mind having it fixed !

[maxnoe]

Is that correct ?

Yes, exactly