Common use of SRM ACLs on spaces Clause in Contracts

SRM ACLs on spaces. The syntax and semantic proposed for SRM ACLs for spaces are based on NFSv4 minor version 1 draft 21. An Access Control Entry (ACE) is a record associated with space reservation. Each ACE is defined as following: aceType, subject, subjectType, accessMask where aceType can be ALLOWED_ACE or DENIED_ACE; subject can be DN or FQAN. Empty DN/FQAN is interpreted as ANY (a reserved name can be used, e.g. EVERYONE ); subjectType specifies if the subject is a DN or FQAN; accessMask is a list set of actions associated with this ACE. The valid actions are: RELEASE_SPACE UPDATE_SPACE READ_FROM_SPACE WRITE_TO_SPACE STAGE_TO_SPACE PURGE_FROM_SPACE QUERY_SPACE MODIFY_SPACE_ACL TODO: Each SpaceManager operation have to be associated with corresponding access mask. Some 'read' operation can be in reality 'write' ( like srmPrepareToGet ). Access control list (ACL) is an ordered array of ACEs. Only ACEs which have a subject that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit has been ALLOWED by an ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If a DENIED_ACE is encountered where the requester's access still has ALLOWED bits in common with the accessMask of the ACE, the request is denied (in other words: to ALLOW all bits have to be checked, while for DENY one matching is sufficient). When the ACL is fully processed, if there are bits in the requester's mask that have not been ALLOWED or DENIED, access is denied. The following syntax can be used to set/display ACLs: subjectType:subject:accessMask:aceType Example: production write, admin all, regular user read, others – deny fqan:dteam/Role=production:RSWQP:ALLOW fqan:dteam/Role=lcgamin:DURWSPQM:ALLOW fqan:dteam/Role=NULL:RSQ:ALLOW fqan:EVERYONE:DURWSPQM:DENY read, no stage: fqan:EVERYONE:R:ALLOW fqan:EVERYONE:S:DENY power user: dn:/O=GermanGrid/OU=DESY/CN=Xxxxxx Xxxxxxxxx:S:ALLOW fqan:EVERYONE:RQ:ALLOW fqan:EVERYONE:S:DENY where accessMask is: 'D' for RELEASE_SPACE 'U' for UPDATE_SPACE 'R' for READ_FROM_SPACE 'W' for WRITE_TO_SPACE 'P' for PURGE_FROM_SPACE 'Q' for QUERY_SPACE 'M' for MODIFY_SPACE_ACL While we do not have ONWER and DEFAULT ACL, all newly created reservation will have de facto default : fqan:EVERYONE:DURWSPQM:DENY dn:EVERYONE:DURWSPQM:DENY To overcome this situation the following strategy can be used: if there is an ACL associated with Space Reservation, than the ACL is respected, otherwise access is allowed.

SRM ACLs on spaces. The syntax and semantic proposed for SRM ACLs for spaces are based on NFSv4 minor version 1 draft 21. An Access Control Entry (ACE) is a record associated with space reservation. Each ACE is defined as following: aceType, subject, subjectType, accessMask where aceType can be ALLOWED_ACE or DENIED_ACE; subject can be DN or FQAN. Empty DN/FQAN The reserved name EVERYONE is interpreted as ANY (a reserved name can be used, e.g. EVERYONE )ANY; subjectType specifies if the subject is a DN or FQAN; accessMask is a list set of actions associated with this ACE. The valid actions are: RELEASE_SPACE (D) UPDATE_SPACE (U) READ_FROM_SPACE (R) WRITE_TO_SPACE (W) STAGE_TO_SPACE (S) REPLICATE_TO_SPACE (C) PURGE_FROM_SPACE (P) QUERY_SPACE (Q) MODIFY_SPACE_ACL (M) TODO: Each SpaceManager operation have has to be associated with a corresponding access mask. Some 'read' operation can be in reality 'write' ( like srmPrepareToGet ). Access control list (ACL) is an ordered array of ACEs. Only ACEs which have a subject that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit has been ALLOWED by an ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If a DENIED_ACE is encountered where the requester's access still has ALLOWED bits in common with the accessMask of the ACE, the request is denied (in other words: to ALLOW all bits have to be checked, while for DENY one matching is sufficient). When the ACL is fully processed, if there are bits in the requester's mask that have not been ALLOWED or DENIED, access is denied. The following syntax can be used to set/display ACLs: subjectType:subject:accessMask:aceType Example: production write, admin all, regular user read, others – deny fqan:dteam/Role=production:RSWQP:ALLOW fqan:dteam/Role=lcgamin:DURWSPQM:ALLOW fqan:dteam/Role=NULL:RSQ:ALLOW fqan:EVERYONE:DURWSPQMDURWSPQMC:DENY read, no stage: fqan:EVERYONE:R:ALLOW fqan:EVERYONE:S:DENY power user: dn:/O=GermanGrid/OU=DESY/CN=Xxxxxx Xxxxxxxxx:S:ALLOW fqan:EVERYONE:RQ:ALLOW fqan:EVERYONE:S:DENY where accessMask is: 'DM' for RELEASE_SPACE MODIFY_SPACE_ACL 'Q' for QUERY_SPACE 'P' for PURGE_FROM_SPACE 'C' for REPLICATE_TO_SPACE 'S' for STAGE_TO_SPACE 'W' for WRITE_TO_SPACE 'R' for READ_FROM_SPACE 'U' for UPDATE_SPACE 'RD' for READ_FROM_SPACE 'W' for WRITE_TO_SPACE 'P' for PURGE_FROM_SPACE 'Q' for QUERY_SPACE 'M' for MODIFY_SPACE_ACL RELEASE_SPACE While we do not have ONWER and DEFAULT ACL, all newly created reservation will have de facto default default: dn:<Creator DN>: DURWSCPQM:ALLOW fqan:EVERYONE:DURWSPQMDURWSCPQM:DENY dn:EVERYONE:DURWSPQMDURWSCPQM:DENY To overcome this situation What should we use for administrators and the following strategy can be used: if there is an ACL associated with Space Reservation, than creator of the ACL is respected, otherwise access is allowed.space?

SRM ACLs on spaces. The syntax and semantic proposed for SRM ACLs for spaces SPACEs are based on NFSv4 minor version 1 draft 21. An Access Control Entry (ACE) is a record associated with space SPACE reservation. Each ACE is defined as following: aceTypesubjectType, subject, subjectTypeaccessMask, accessMask aceType where aceType can be ALLOWED_ACE or DENIED_ACE; subject can be DN or FQAN. Empty DN/FQAN The reserved name EVERYONE is interpreted as ANY (a reserved name can be used, e.g. EVERYONE )ANY; subjectType specifies if the subject is a DN or FQAN; accessMask is a list set of actions associated with this ACE. The valid actions are: RELEASE_SPACE (D) UPDATE_SPACE (U) READ_FROM_SPACE (R) WRITE_TO_SPACE (W) STAGE_TO_SPACE (S) REPLICATE_FROM_SPACE(C) PURGE_FROM_SPACE (P) QUERY_SPACE (Q) MODIFY_SPACE_ACL TODO: Each SpaceManager operation have to be associated with corresponding access mask. Some 'read' operation can be in reality 'write' ( like srmPrepareToGet ). (M) Access control list (ACL) is an ordered array of ACEs. Only ACEs which have a subject that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit has been ALLOWED by an ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If a DENIED_ACE is encountered where the requester's access still has ALLOWED bits in common with the accessMask of the ACE, the request is denied (in other words: to ALLOW all bits have to be checked, while for DENY one matching is sufficient). When the ACL is fully processed, if there are bits in the requester's mask that have not been ALLOWED or DENIED, access is denied. The following syntax can be used to set/display ACLs: subjectType:subject:accessMask:aceType Example: production write, admin all, regular user read, others – deny fqan:dteam/Role=production:RSWQP:ALLOW fqan:dteam/Role=lcgamin:DURWSPQM:ALLOW fqan:dteam/Role=NULL:RSQ:ALLOW fqan:EVERYONE:DURWSPQMDURWSPQMC:DENY read, no stage: fqan:EVERYONE:R:ALLOW fqan:EVERYONE:S:DENY power user: dn:/O=GermanGrid/OU=DESY/CN=Xxxxxx Xxxxxxxxx:S:ALLOW fqan:EVERYONE:RQ:ALLOW fqan:EVERYONE:S:DENY where accessMask is: 'D' for RELEASE_SPACE 'U' for UPDATE_SPACE 'R' for READ_FROM_SPACE 'W' for WRITE_TO_SPACE 'S' for STAGE_TO_SPACE 'C' for REPLICATE_TO_SPACE 'P' for PURGE_FROM_SPACE 'Q' for QUERY_SPACE 'M' for MODIFY_SPACE_ACL While we do not have ONWER and DEFAULT ACL, all newly created reservation will have de facto default : fqandefault:EVERYONE:DURWSPQM:DENY dn:EVERYONE:DURWSPQM:DENY To overcome this situation the following strategy can be used: if there is an ACL associated with Space Reservation, than the ACL is respected, otherwise access is allowed.

SRM ACLs on spaces. The syntax and semantic proposed for SRM ACLs for spaces are based on NFSv4 minor version 1 draft 21. An Access Control Entry (ACE) is a record associated with space reservation. Each ACE is defined as following: aceType, subject, subjectType, accessMask where aceType can be ALLOWED_ACE or DENIED_ACE; subject can be DN or FQAN. Empty DN/FQAN The reserved name EVERYONE is interpreted as ANY (a reserved name can be used, e.g. EVERYONE )ANY; subjectType specifies if the subject is a DN or FQAN; accessMask is a list set of actions associated with this ACE. The valid actions are: RELEASE_SPACE (D) UPDATE_SPACE (U) READ_FROM_SPACE (R) WRITE_TO_SPACE (W) STAGE_TO_SPACE (S) REPLICATE_FROM_SPACE(C) PURGE_FROM_SPACE (P) QUERY_SPACE (Q) MODIFY_SPACE_ACL TODO: Each SpaceManager operation have to be associated with corresponding access mask. Some 'read' operation can be in reality 'write' ( like srmPrepareToGet ). (M) Access control list (ACL) is an ordered array of ACEs. Only ACEs which have a subject that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit has been ALLOWED by an ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If a DENIED_ACE is encountered where the requester's access still has ALLOWED bits in common with the accessMask of the ACE, the request is denied (in other words: to ALLOW all bits have to be checked, while for DENY one matching is sufficient). When the ACL is fully processed, if there are bits in the requester's mask that have not been ALLOWED or DENIED, access is denied. The following syntax can be used to set/display ACLs: subjectType:subject:accessMask:aceType Example: production write, admin all, regular user read, others – deny fqan:dteam/Role=production:RSWQP:ALLOW fqan:dteam/Role=lcgamin:DURWSPQM:ALLOW fqan:dteam/Role=NULL:RSQ:ALLOW fqan:EVERYONE:DURWSPQMDURWSPQMC:DENY read, no stage: fqan:EVERYONE:R:ALLOW fqan:EVERYONE:S:DENY power user: dn:/O=GermanGrid/OU=DESY/CN=Xxxxxx Xxxxxxxxx:S:ALLOW fqan:EVERYONE:RQ:ALLOW fqan:EVERYONE:S:DENY where accessMask is: 'D' for RELEASE_SPACE 'U' for UPDATE_SPACE 'R' for READ_FROM_SPACE 'W' for WRITE_TO_SPACE 'S' for STAGE_TO_SPACE 'C' for REPLICATE_TO_SPACE 'P' for PURGE_FROM_SPACE 'Q' for QUERY_SPACE 'M' for MODIFY_SPACE_ACL While we do not have ONWER and DEFAULT ACL, all newly created reservation will have de facto default default: dn:<Creator DN>: DURWSCPQM:ALLOW fqan:EVERYONE:DURWSPQMDURWSCPQM:DENY dn:EVERYONE:DURWSPQMDURWSCPQM:DENY To overcome this situation the following strategy can be used: if there is Service administrators have an ACL associated with Space Reservation, than the ACL is respected, otherwise access is allowedimplicit ACE that allows them to perform all operations on a space.

SRM ACLs on spaces. The syntax and semantic proposed for SRM ACLs for spaces are based on NFSv4 minor version 1 draft 21. An Access Control Entry (ACE) is a record associated with space reservation. Each ACE is defined as following: aceType, subject, subjectType, accessMask where aceType can be ALLOWED_ACE or DENIED_ACE; subject can be DN or FQAN. Empty DN/FQAN The reserved name EVERYONE is interpreted as ANY (a reserved name can be used, e.g. EVERYONE )ANY; subjectType specifies if the subject is a DN or FQAN; accessMask is a list set of actions associated with this ACE. The valid actions are: RELEASE_SPACE (D) UPDATE_SPACE (U) READ_FROM_SPACE (R) WRITE_TO_SPACE (W) STAGE_TO_SPACE (S) REPLICATE_TO_SPACE (C) PURGE_FROM_SPACE (P) QUERY_SPACE (Q) MODIFY_SPACE_ACL (M) TODO: Each SpaceManager operation have has to be associated with a corresponding access mask. Some 'read' operation can be in reality 'write' ( like srmPrepareToGet ). Access control list (ACL) is an ordered array of ACEs. Only ACEs which have a subject that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit has been ALLOWED by an ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If a DENIED_ACE is encountered where the requester's access still has ALLOWED bits in common with the accessMask of the ACE, the request is denied (in other words: to ALLOW all bits have to be checked, while for DENY one matching is sufficient). When the ACL is fully processed, if there are bits in the requester's mask that have not been ALLOWED or DENIED, access is denied. The following syntax can be used to set/display ACLs: subjectType:subject:accessMask:aceType Example: production write, admin all, regular user read, others – deny fqan:dteam/Role=production:RSWQP:ALLOW fqan:dteam/Role=lcgamin:DURWSPQM:ALLOW fqan:dteam/Role=NULL:RSQ:ALLOW fqan:EVERYONE:DURWSPQMDURWSPQMC:DENY read, no stage: fqan:EVERYONE:R:ALLOW fqan:EVERYONE:S:DENY power user: dn:/O=GermanGrid/OU=DESY/CN=Xxxxxx Xxxxxxxxx:S:ALLOW fqan:EVERYONE:RQ:ALLOW fqan:EVERYONE:S:DENY where accessMask is: 'D' for RELEASE_SPACE 'U' for UPDATE_SPACE 'R' for READ_FROM_SPACE 'W' for WRITE_TO_SPACE 'S' for STAGE_TO_SPACE 'C' for REPLICATE_TO_SPACE 'P' for PURGE_FROM_SPACE 'Q' for QUERY_SPACE 'M' for MODIFY_SPACE_ACL While we do not have ONWER and DEFAULT ACL, all newly created reservation will have de facto default default: dn:<Creator DN>: DURWSCPQM:ALLOW fqan:EVERYONE:DURWSPQMDURWSCPQM:DENY dn:EVERYONE:DURWSPQMDURWSCPQM:DENY To overcome this situation the following strategy can be used: if there is Service administrators have an ACL associated with Space Reservation, than the ACL is respected, otherwise access is allowedimplicit ACE that allows them to perform all operations on a space.