RE: [geclipse-dev] ACL support

["Ken Meacham" <kem@xxxxxxxxxxxxxxxxxxxxxxxxx>]

Hi Ariel,

Sorry for the delay in replying - I've had a really busy week here...

> i've enabled the code for access control management which 
> includes read only support for GRIA DataStagers. 

Can you clarify this, i.e. what GRIA functionality you've used to
do this, etc?

Don't forget that, for GRIA resources, there may be many different roles
defined. For a data stager, this includes "reader" or "writer", but also
"owner". Other types of resource will have other definitions of roles.

Are you providing generic PBAC support (GRIA access control)?

Will you support the same types of rules that GRIA currently provides
through its API, e.g. 
- user certificate
- issuer certificate
- membership groups
- SAML tokens

> - write support is still disabled because i learnt a bit too 
> late that gria insists on having the whole certificate data 
> for adding/modifying the entries (ie, cert file content, the 
> DN and CA subjects are not enough).

No, the DN and CA subjects would never be enough, as you could define
the same DNs in different user or CA certificates, and hence pretend
to be someone else!

> So currently disabled to 
> avoid non-working code/exceptions. I might reenable it this 
> week if the required changes are small enough to be done 
> during the quality week, later otherwise.

How are you getting on with this?

> - support for managing access control of the services 
> themselves is still missing, but it would only require some 
> modifications in the client libs.

Yes.

>  @Ken, when could GRIA/ITI  provide us with the modified 
> client libs we talked about for enabling the PolicyManagement 
> interface in the Job/DataServices?

It is not essential to be able to manage access control for services,
i.e. it is much more important for resources (e.g. data stagers) at
this stage.

We should be able to provide a fix for this shortly. Can you create
a "bug" for this and assign it to me?

Cheers,

Ken.