Particle Physics Group



GridSite: Grid Access Control Language

GACL is the authorization policy language used by GridSite 0.9.x. GACL allows policies to be written in terms of common Grid credentials: X.509 identities, GSI proxies, VOMS attribute certificates and lists of X.509 identities.

GridSite both uses GACL policies and provides a GACL manipulation API for C/C++ in the GridSite library.


In GridSite 0.9.x, four credential types are supported:

<person> <dn>/O=Grid/CN=Name</dn> </person>

<voms> <fqan>/vo.dom.ain/group</fqan> </voms>

<dn-list> <url>https://www.vo.dom.ain/dn-lists/group</url> </dn-list>

<dns> <hostname>host*.dom.ain</hostname> </dns>


Five permissions are supported: Admin, Write, List, Exec and Read. Admin is permission to modify the authorization policy itself, but applications can map the other permissions to local methods as appropriate to their environment. For filesystems and fileservers, Write, List and Read have their usual meanings: creating or modifying files or directories; browsing directories; reading files. Exec is not used by GridSite itself, and applications are free to give it a meaning within their own contexts.

In 0.9.x, only per-directory GACL files are supported, and the file is stored in the directory in question, or in one of its parent directories. (GridSite searches upwards until it finds one.)

In GACL files, the permissions are represented by single tags: <admin/>, <write/>, <list/>, <exec/>, <read/>. Permission tags are contained within Allow or Deny blocks. For example: <allow><read/><list/></allow> or <deny><admin/></deny>.


Entries associate credentials with permission statements. Entries consist of one or more credential blocks, and either an Allow or a Deny block, or both. If multiple credentials are present in one entry, they must all be held by a user to receive the association permissions. (So Entries provide logical AND of credentials.)

Access Control Lists

ACLs consist of a list of one or more Entry blocks. When a user's credentials are compared to the ACL, the permissions given to the user by Allow blocks are recorded, along with those forbidden by Deny blocks. When all entries have been evaluated, any forbidden permissions are removed from those granted. (So Deny always wins over Allow, even between different Entries, but otherwise ACLs provide logical OR of credentials.)

Last modified Fri 28 November 2003 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 2.2.6