[glue-wg] DENY rules

Sergio Andreozzi sergio.andreozzi at cnaf.infn.it
Tue Apr 15 08:43:31 CDT 2008 

Laurence Field wrote:
> The problem with an information model is that we can end up describing 
> everything.  The aim of Glue within OGF is to try and bring some of 
> the other specifications together and not define so much by 
> ourselves.  For example, JSDL should describe the job and Glue should 
> reflect this so that the job can be matched. The group defining JSDL 
> should worry about the matchmaking should be worked out jointly 
> between the JSDL group and Glue, but JSDL should be the definition 
> which Glue reflects and likewise for the Authorization.
>
> We need to narrow our focus or we will end up "boiling the ocean" 
> which has happened to many other Groups and the definition will take 
> forever.
>
> From what I can see on the use of DENY tags within EGEE, this is a big 
> hack to work around a implementation problem in the glite middleware 
> and as such should not dictate what is done in Glue.  We should just 
> be able to published the ACLs in the FQAN format and that is it.
>
> The reason for the DENY tags is the inconsistency with the simple 
> matchmaking done by the WMS and the mapping of VOMS FQANs in a CE.
that's not completely true. The WMS was also extended to support the 
DENY option (it is just the matter of defining a new matching operator).
The problem was that the LCMAPS component performed decision using a 
different logic than WMS (assuming order between rules). This should be 
solved in EGEE-3 as they have defined a number of recommendations which 
avoid the need for assuming ordering.

We can leverage these recommendations and propose a basic syntax for 
policy rules. This is an important interoperability aspect and we have 
experience to do this, more than in GLUE 1.x.

> If publishing only the FQANs does not work, it is not necessarily an 
> information model problem but architectural issue that needs to be 
> fixed and should be pushed back to those dealing the Authentication 
> and Authorization. We need to take a more minimalistic approach do the 
> schema definition and not try to fix other peoples problems.
it could work, but it is not efficient.

Consider the Balazs use case:

ATLAS has 100 groups. You want to state that 99 groups are authorized, 
but not /atlas/production/students.

With just FQAN you have to list 99 groups, this is inefficient.
The other way is to say

/atlas/*:EXCEPT:/atlas/production/student

or

ALLOW: fqan:/atlas/*
DENY: fqan:/atlas/production/student

this is a simple set of rules (just allow/deny) which should be easy to 
map to underlyng middlewares.

Cheers, Sergio

More information about the glue-wg mailing list