[glue-wg] DENY rules
Sergio Andreozzi
sergio.andreozzi at cnaf.infn.it
Mon Apr 14 17:30:59 CDT 2008
Maarten.Litmaath at cern.ch wrote:
> Ciao Sergio,
>
>
>> please, have a look at section 18.3 of latest GLUE spec. There is an
>> initial draft of how rules can be specified using a 'basic' policy
>> scheme for GLUE:
>>
>>
>> basic rule ::= DN_RULE | VO_RULE | VOMS_RULE | ?ALL?
>> DN_RULE ::= ?dn:? DN_NAME
>> VO_RULE ::= ?vo:? [a-zA-Z0-9-_\.]*
>> VOMS_RULE ::= ?voms:? VOMS_FQAN (?EXCEPT? VOMS_FQAN)?
>>
>
> How would one express that a VO "foo" has access except for the
> groups /foo/bar and /foo/xyz?
>
probably we need something like this:
SEPARATOR ::= ':'
VOMS_FQAN_LIST ::= (SEPARATOR VOMS_FQAN)*
VOMS_RULE ::= 'voms' VOMS_FQAN_LIST (SEPARATOR 'EXCEPT' VOMS_FQAN_LIST)?
which means in your example:
voms:/foo:EXPECT:/foo/bar:/foo/xyv
I don't know if you prefer this instead of separated rules for each group with optional DENY
Cheers, Sergio
--
Sergio Andreozzi
INFN-CNAF, Tel: +39 051 609 2860
Viale Berti Pichat, 6/2 Fax: +39 051 609 2746
40126 Bologna (Italy) Web: http://www.cnaf.infn.it/~andreozzi
More information about the glue-wg
mailing list