Hi Maarten, On Tuesday 06 May 2008 00:11:51 Maarten.Litmaath@cern.ch wrote:
An example mixing grid authorization notions with POSIX ACL syntax:
GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwx GlueAccessControlEntry: /someVO/Role=admin::rwx GlueAccessControlEntry: other::r-x GlueAccessControlEntry: default:user::rwx GlueAccessControlEntry: default:group::rwx GlueAccessControlEntry: default:other::r-x GlueAccessControlEntry: mask::rwx
Or with AFS ACL syntax:
GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rlidwa GlueAccessControlEntry: /someVO/Role=admin::rlidwa GlueAccessControlEntry: other::rl
Or with NTFS ACL syntax:
GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwxdpo GlueAccessControlEntry: /someVO/Role=admin::rwxdpo GlueAccessControlEntry: other::rx
... which illustrates the problem with publishing ACLs nicely. On seeing an entry like: GlueAccessControlEntry: /DC=ch/DC=cern/.../CN=somebody::rwx does a client assume that the ACL is POSIX one (user can do all operations), or a AFS one (user can't do "lida"), or an NFS one (can't do "dpo"), or [...] A client simply can't tell. A grid (e.g., WLCG) might standarise on one but this is irrelevant: GLUE is about cross-grid standardisation, right? Moreover, since a site might publish authz info with any (valid) ACL format, a client must be able to understand *all* potential ACL formats and how the permissions map to the operation the client wants to undertake. For operation X, what permissions are needed for POSIX-like ACLs, and for AFS and for NTFS, and for NFS, and for GPFS, and for [...]; what about operation Y, what permissions are needed for POSIX-like [...]? Even if the information is published and somehow clients can understand all possible information, the published ACLs may still (from practice and legal reasons) be incomplete; even if the client has successfully understood the ACLs there's no guarantee that they will be able to use the service. If we want to publish an authz mapping between users and a service, I feel it should be at a VO level. What are the use-cases for *publishing* finer-grain authorisation? ...and are they reasonable? Cheers, Paul.