[glue-wg] DENY rules
Laurence Field
Laurence.Field at cern.ch
Tue Apr 15 08:47:58 CDT 2008
> Consider the Balazs use case:
>
> ATLAS has 100 groups. You want to state that 99 groups are authorized,
> but not /atlas/production/students.
>
> With just FQAN you have to list 99 groups, this is inefficient.
> The other way is to say
>
> /atlas/*:EXCEPT:/atlas/production/student
>
> or
>
> ALLOW: fqan:/atlas/*
> DENY: fqan:/atlas/production/student
>
>
If this syntax is required, it should be defined by the group that
defines FQANs. There are many places in the architecture where such
matchmaking takes place and the information system is just one of them.
The problem within EGEE, as you stated was that the method of
matchmaking in LCMAPS and the WMS was not consistent. I realize that
some of us involved in Glue would also be involved in the other
discussion but we need to separate these different roles. We should not
define this syntax but reference where this syntax if defined. If this
syntax has not been defined we need to state this and not make invent one.
Laurence
More information about the glue-wg
mailing list