[Pgi-wg] OGF PGI - Security Model
Vincenzo Ciaschini
vincenzo.ciaschini at cnaf.infn.it
Wed Mar 25 12:09:49 CDT 2009
Etienne URBAH wrote:
> Duane,
>
>
> Thank you for your comments. Please find the original text and my
> answers inline.
>
>
> Beyond that :
>
> 7.9) Semantics and syntax of VOMS extensions and Restriction attributes
> -----------------------------------------------------------------------
> I would like to describe (for example in new section 7.9) the semantics
> and syntax of a RESTRICTED list of VOMS extensions and Restriction
> attributes that all grid clients MAY use and that all grid services MUST
> understand.
>
> Does anybody have links to such lists ?
>
> - For VOMS extension, the example below gives :
> VO, subject, issuer, attribute, timeleft, uri
Just for clarity: attribute is indeed a list of attributes. There may
be more than one.
Also, information from more than one VO may be present.
>
> - For other attributes, here is something springing out from my
> imagination, with semantics and syntax (please criticize) :
> - Assertion of identity : ID:<FQAN>
> - Assertion of belonging to a group : GROUP:<FQAN>
> - Authorization to access a resource : ALLOW:<URI>
> - Interdiction to access a resource : DENY:<URI>
> - Authorization to read a file (or a folder, recursively :
> ALLOW_R:<URI>
> - Authorization to write into a file (or a folder, recursively :
> ALLOW_W:<URI>
> - Authorization to read and write into a file (or a folder,
> recursively : ALLOW_RW:<URI>
> Note that GLUE 2.0 recommends that the URI should be an URN.
>
>
>
> I agree that we have to describe the full list of VOMS extensions with
> their meaning and syntax (or provide a link to the relevant VOMS
> specification).
How about this?
https://forge.gridforum.org/sf/go/doc13797
(also referenced in the strawman doc)
If it is unclear, I'd love to receive comments.
Ciao,
Vincenzo
More information about the Pgi-wg
mailing list