(r2) AuthZinMM < EgeeJra1It

Tags: , view all tags
---++ How the authorization information is used in matchmaking

The following expression is evaluated at matchmaking time in order to
check whether the owner of a job has access rights to a given CE.

AuthorizationCheck = (
	member(other.CertificateSubject, GlueCEAccessControlBaseRule) ||                   
	member(strcat("VO:",other.VirtualOrganisation), GlueCEAccessControlBaseRule) ||
	FQANmember(strcat("VOMS:",other.VOMS_FQAN), GlueCEAccessControlBaseRule) 
) &&  ! FQANmember(strcat("DENY:",other.VOMS_FQAN), GlueCEAccessControlBaseRule);

We check if either the certificate subject or the virtual organization 
the user belongs to is member of the GlueCEAccessControlBaseRule (ACBR henceforth in text) of the CE.

The third expression in logical OR condition has been added in order
to support generic attributes specification in the ACBR and tests for
ownership of the primary FQAN specified in the user-proxy. The
_VOMS_FQAN_ attribute in the JDL is assigned with such a value.

The classad built-in member function, while testing for ownership in
the ACBR list, uses a lexical match (classic string compare).  The _FQANmember_ 
function as the list mernership built-in fuction _member(V,L)_ takes two arguments: 
the FQAN and the list of ACBR. The _FQANmember_ returns =true= if and only if the 
FQAN is a member of the ACBR list and uses an ad-hoc comparator while testing for ownership.

The MM _receives_ the authorization information i.e. ACBR from the classad representation of a CE, 
which is generated starting from the information the BDII publishes for that CE.

-- Main.FrancescoGiacomini - 09 Oct 2007
Topic revision: r2 - 2007-10-09 - SalvatoreMonforte
Account
- Log In
~~Edit~~
~~Attach~~