On Tue, 15 Apr 2008, Sergio Andreozzi wrote:
Maarten.Litmaath@cern.ch wrote:
Ciao Sergio,
please, have a look at section 18.3 of latest GLUE spec. There is an initial draft of how rules can be specified using a 'basic' policy scheme for GLUE:
basic rule ::= DN_RULE | VO_RULE | VOMS_RULE | ?ALL? DN_RULE ::= ?dn:? DN_NAME VO_RULE ::= ?vo:? [a-zA-Z0-9-_\.]* VOMS_RULE ::= ?voms:? VOMS_FQAN (?EXCEPT? VOMS_FQAN)?
How would one express that a VO "foo" has access except for the groups /foo/bar and /foo/xyz?
probably we need something like this:
SEPARATOR ::= ':' VOMS_FQAN_LIST ::= (SEPARATOR VOMS_FQAN)* VOMS_RULE ::= 'voms' VOMS_FQAN_LIST (SEPARATOR 'EXCEPT' VOMS_FQAN_LIST)?
which means in your example:
voms:/foo:EXPECT:/foo/bar:/foo/xyv
I don't know if you prefer this instead of separated rules for each group with optional DENY
Has this syntax been discussed: VOMS:/foo DENY:VOMS:/foo/abc DENY:VOMS:/foo/xyz