Maarten.Litmaath@cern.ch [mailto:Maarten.Litmaath@cern.ch] said:
Has this syntax been discussed:
VOMS:/foo DENY:VOMS:/foo/abc DENY:VOMS:/foo/xyz
That was what Balazs was proposing in the meeting. My point was that it's quite hard to define that syntax in a generic way - for example, what if you say VO:/foo DENY:VOMS:/foo/abc does the DENY apply to a rule in a different scheme? Effectively if you go that way you have two different kinds of rules, deny-rules and allow-rules, and you have to process all the deny-rules first - and if a parser can't interpret a rule (e.g. it only knows about VO: rules) it can make a wrong decision (although GLUE isn't a Policy Enforcement Point so that doesn't violate security, it just makes things inefficient). Anyway, Balazs' use-case seemed to be basically the one above, i.e. "cutting out" some part of the space from an allow rule because it's easier than listing all groups explicitly. I was suggesting that you can do that in a simpler way that having a fully generic DENY syntax. (Incidentally, note that EGEE has explicitly said it won't use DENYs, because it makes things too complicated.) One final point, consider this (perhaps overcomplex) rule: allow /atlas/* except for the subgroup /atlas/higgs except that you still allow the subsubgroup /atlas/higgs/production except for the subsubsubgroup /atlas/higgs/production/test With the :except: scheme you could do that: VOMS:/atlas/*:EXCEPT:/atlas/higgs VOMS:/atlas/higgs/production:EXCEPT:/atlas/higgs/production/test With DENYs I don't think you could do it, DENY:VOMS:/atlas/higgs would override the second rule. Stephen