[glue-wg] ACLs, ACLs, everywhere [WAS: Comparison with CIM]

Paul Millar paul.millar at desy.de
Tue May 6 13:04:15 CDT 2008 

Hi Maarten,

On Tuesday 06 May 2008 00:11:51 Maarten.Litmaath at cern.ch wrote:
> An example mixing grid authorization notions with POSIX ACL syntax:
>
>     GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwx
>     GlueAccessControlEntry: /someVO/Role=admin::rwx
>     GlueAccessControlEntry: other::r-x
>     GlueAccessControlEntry: default:user::rwx
>     GlueAccessControlEntry: default:group::rwx
>     GlueAccessControlEntry: default:other::r-x
>     GlueAccessControlEntry: mask::rwx
>
> Or with AFS ACL syntax:
>
>     GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rlidwa
>     GlueAccessControlEntry: /someVO/Role=admin::rlidwa
>     GlueAccessControlEntry: other::rl
>
> Or with NTFS ACL syntax:
>
>     GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwxdpo
>     GlueAccessControlEntry: /someVO/Role=admin::rwxdpo
>     GlueAccessControlEntry: other::rx

... which illustrates the problem with publishing ACLs nicely.

On seeing an entry like:
	GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwx

does a client assume that the ACL is POSIX one (user can do all operations), 
or a AFS one (user can't do "lida"), or an NFS one (can't do "dpo"), or [...] 
A client simply can't tell.  A grid (e.g., WLCG) might standarise on one but 
this is irrelevant: GLUE is about cross-grid standardisation, right?

Moreover, since a site might publish authz info with any (valid) ACL format, a 
client must be able to understand *all* potential ACL formats and how the 
permissions map to the operation the client wants to undertake.  For 
operation X, what permissions are needed for POSIX-like ACLs, and for AFS and 
for NTFS, and for NFS, and for GPFS, and for [...]; what about operation Y, 
what permissions are needed for POSIX-like [...]?

Even if the information is published and somehow clients can understand all 
possible information, the published ACLs may still (from practice and legal 
reasons) be incomplete; even if the client has successfully understood the 
ACLs there's no guarantee that they will be able to use the service.

If we want to publish an authz mapping between users and a service, I feel it 
should be at a VO level.  What are the use-cases for *publishing* finer-grain 
authorisation?  ...and are they reasonable?

Cheers,

Paul.

More information about the glue-wg mailing list