[glue-wg] DENY rules
Maarten.Litmaath at cern.ch
Maarten.Litmaath at cern.ch
Mon Apr 14 17:48:56 CDT 2008
On Tue, 15 Apr 2008, Sergio Andreozzi wrote:
> Maarten.Litmaath at cern.ch wrote:
> > Ciao Sergio,
> >
> >
> >> please, have a look at section 18.3 of latest GLUE spec. There is an
> >> initial draft of how rules can be specified using a 'basic' policy
> >> scheme for GLUE:
> >>
> >>
> >> basic rule ::= DN_RULE | VO_RULE | VOMS_RULE | ?ALL?
> >> DN_RULE ::= ?dn:? DN_NAME
> >> VO_RULE ::= ?vo:? [a-zA-Z0-9-_\.]*
> >> VOMS_RULE ::= ?voms:? VOMS_FQAN (?EXCEPT? VOMS_FQAN)?
> >>
> >
> > How would one express that a VO "foo" has access except for the
> > groups /foo/bar and /foo/xyz?
> >
>
>
> probably we need something like this:
>
> SEPARATOR ::= ':'
> VOMS_FQAN_LIST ::= (SEPARATOR VOMS_FQAN)*
> VOMS_RULE ::= 'voms' VOMS_FQAN_LIST (SEPARATOR 'EXCEPT' VOMS_FQAN_LIST)?
>
> which means in your example:
>
> voms:/foo:EXPECT:/foo/bar:/foo/xyv
>
> I don't know if you prefer this instead of separated rules for each group with optional DENY
Has this syntax been discussed:
VOMS:/foo
DENY:VOMS:/foo/abc
DENY:VOMS:/foo/xyz
More information about the glue-wg
mailing list