[glue-wg] DENY rules
Paul Millar
paul.millar at desy.de
Mon Apr 14 13:24:13 CDT 2008
Hi Stephen
On Monday 14 April 2008 17:58:47 Burke, S (Stephen) wrote:
> Just as a comment on the discussion about DENY rules in policies, my
> alternative suggestion was to have "allow" rules with a more complex
> syntax, e.g. something like:
>
> VOMS:/atlas/*:EXCEPT:/atlas/higgs
>
> which would match against any subgroup of atlas except higgs. That would
> be a bit harder to parse, but maybe still easier than a generic DENY
> rule.
(This is not a comment about the idea of publishing allow+except; it is a
comment about this specific example implementation.)
What you describe is an invalid FQAN.
This matters only if the VOMS URI is for publishing FQANs. I believe this is
the case, but can't find this stated anywhere. If so, one solution would be
to extend the namespace by adding a new URI prefix (i.e., not use "VOMS").
HTH,
Paul.
More information about the glue-wg
mailing list