[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [geclipse-dev] ACL support
|
Hi Ken,
> Sorry for the delay in replying - I've had a really busy week here...
no problem, busy with more important bugs anyways ;-)
> > i've enabled the code for access control management which
> > includes read only support for GRIA DataStagers.
>
> Can you clarify this, i.e. what GRIA functionality you've used to
> do this, etc?
oh, i guess the only possible reasonable one, the PolicyManagement
interface, and then of course
PolicyRule
PolicyRuleType
MatchPattern
> Don't forget that, for GRIA resources, there may be many different roles
> defined. For a data stager, this includes "reader" or "writer", but also
> "owner". Other types of resource will have other definitions of roles.
>
> Are you providing generic PBAC support (GRIA access control)?
>
> Will you support the same types of rules that GRIA currently provides
> through its API, e.g.
> - user certificate
> - issuer certificate
> - membership groups
> - SAML tokens
sure, just give it a try (read only yet)
the available roles are queried from the object at runtime, and the three
different policyRuleTypes (including "necessary" from Gria 5.3) and the 5
different MatchPattern types (saml, ca, ca+dn, group, anybody) are
supported
> > - write support is still disabled because i learnt a bit too
> > late that gria insists on having the whole certificate data
> > for adding/modifying the entries (ie, cert file content, the
> > DN and CA subjects are not enough).
>
> No, the DN and CA subjects would never be enough, as you could define
> the same DNs in different user or CA certificates, and hence pretend
> to be someone else!
well, the (EuGridPMA) CAs have policies for the signing namespace, and then
of course i was assuming that the trusted CA certificates would be
uploaded once and for all by the sysadm... yes, that's my gLite
malformation sorry ;-)
> It is not essential to be able to manage access control for services,
> i.e. it is much more important for resources (e.g. data stagers) at
> this stage.
sure
> We should be able to provide a fix for this shortly. Can you create
> a "bug" for this and assign it to me?
ok
Cheers, Ariel