Jeff Templon [mailto:[log in to unmask]] said:
I just heard via other channels of a quite subtle bug in the WMS
matchmaking that causes a problem similar to that one sees when DENY
tags are absent. I'm not sure how much overlap there is between these
two problems, perhaps somebody just rediscovered that DENY is necessary?
If this is the lhcb bug that was just submitted, I think we should see what the diagnosis is, it's not obvious to me what the real problem is.
It seems at this point in the game, it might be worth making
everybody's life much easier and having the WMS support an "exact
match" flag.
After experimenting a bit (and getting the syntax wrong several times :) it seems that you can include the ACBR in the JDL requirements in the usual way, so I think you can already require such a match.
I wonder to what extent other tools (non-WMS) handle this better.
Given the approach of EGI and the promised decoupling of the
middleware from the infrastructure, it would be appropriate to review,
as sites (and users!) whether the WMS is the best tool for the job.
I would still like to know what's happened to the recommendations of the authz working group, since that was supposed to have considered these things. I seem to remember they also recommended having a standard library so everything would do the matching in a consistent way.
Stephen
PS Sorry about the formatting of this mail, I'm using Outlook web access due to being in a meeting where the VPN port is blocked ...
--
Scanned by iCritical.
|