[glue-wg] DENY rules
Burke, S (Stephen)
S.Burke at rl.ac.uk
Tue Apr 15 04:14:16 CDT 2008
Maarten.Litmaath at cern.ch [mailto:Maarten.Litmaath at cern.ch] said:
> Has this syntax been discussed:
>
> VOMS:/foo
> DENY:VOMS:/foo/abc
> DENY:VOMS:/foo/xyz
That was what Balazs was proposing in the meeting. My point was that
it's quite hard to define that syntax in a generic way - for example,
what if you say
VO:/foo
DENY:VOMS:/foo/abc
does the DENY apply to a rule in a different scheme? Effectively if you
go that way you have two different kinds of rules, deny-rules and
allow-rules, and you have to process all the deny-rules first - and if a
parser can't interpret a rule (e.g. it only knows about VO: rules) it
can make a wrong decision (although GLUE isn't a Policy Enforcement
Point so that doesn't violate security, it just makes things
inefficient).
Anyway, Balazs' use-case seemed to be basically the one above, i.e.
"cutting out" some part of the space from an allow rule because it's
easier than listing all groups explicitly. I was suggesting that you can
do that in a simpler way that having a fully generic DENY syntax.
(Incidentally, note that EGEE has explicitly said it won't use DENYs,
because it makes things too complicated.)
One final point, consider this (perhaps overcomplex) rule:
allow /atlas/*
except for the subgroup /atlas/higgs
except that you still allow the subsubgroup
/atlas/higgs/production
except for the subsubsubgroup /atlas/higgs/production/test
With the :except: scheme you could do that:
VOMS:/atlas/*:EXCEPT:/atlas/higgs
VOMS:/atlas/higgs/production:EXCEPT:/atlas/higgs/production/test
With DENYs I don't think you could do it, DENY:VOMS:/atlas/higgs would
override the second rule.
Stephen
More information about the glue-wg
mailing list