Re: [geclipse-dev] ACL support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [geclipse-dev] ACL support

From: Ariel Garcia <garcia@xxxxxxxxxx>
Date: Fri, 29 Aug 2008 15:53:56 +0200
Delivered-to: geclipse-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/geclipse-dev>
List-help: <mailto:geclipse-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/geclipse-dev>, <mailto:geclipse-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/geclipse-dev>, <mailto:geclipse-dev-request@eclipse.org?subject=unsubscribe>
User-agent: KMail/1.9.9

Hi Ken,

> Sorry for the delay in replying - I've had a really busy week here...

no problem, busy with more important bugs anyways ;-)

> > i've enabled the code for access control management which
> > includes read only support for GRIA DataStagers.
>
> Can you clarify this, i.e. what GRIA functionality you've used to
> do this, etc?

oh, i guess the only possible reasonable one, the PolicyManagement 
interface, and then of course
 PolicyRule
 PolicyRuleType
 MatchPattern

> Don't forget that, for GRIA resources, there may be many different roles
> defined. For a data stager, this includes "reader" or "writer", but also
> "owner". Other types of resource will have other definitions of roles.
>
> Are you providing generic PBAC support (GRIA access control)?
>
> Will you support the same types of rules that GRIA currently provides
> through its API, e.g.
> - user certificate
> - issuer certificate
> - membership groups
> - SAML tokens

sure, just give it a try (read only yet)
the available roles are queried from the object at runtime, and the three 
different policyRuleTypes (including "necessary" from Gria 5.3) and the 5 
different MatchPattern types (saml, ca, ca+dn, group, anybody) are 
supported

> > - write support is still disabled because i learnt a bit too
> > late that gria insists on having the whole certificate data
> > for adding/modifying the entries (ie, cert file content, the
> > DN and CA subjects are not enough).
>
> No, the DN and CA subjects would never be enough, as you could define
> the same DNs in different user or CA certificates, and hence pretend
> to be someone else!

well, the (EuGridPMA) CAs have policies for the signing namespace, and then 
of course i was assuming that the trusted CA certificates would be 
uploaded once and for all by the sysadm... yes, that's my gLite 
malformation sorry ;-)

> It is not essential to be able to manage access control for services,
> i.e. it is much more important for resources (e.g. data stagers) at
> this stage.

sure

> We should be able to provide a fix for this shortly. Can you create
> a "bug" for this and assign it to me?

ok

Cheers, Ariel

References:
- [geclipse-dev] ACL support
  - From: Ariel Garcia
- RE: [geclipse-dev] ACL support
  - From: Ken Meacham

Prev by Date: RE: [geclipse-dev] ACL support
Next by Date: [geclipse-dev] [luntbuild] build of "gEclipse/NightlyBuild/geclipse-1.0_N20080901-0500" failed
Previous by thread: RE: [geclipse-dev] ACL support
Next by thread: [geclipse-dev] Testing
Index(es):
- Date
- Thread

Breadcrumbs