super-users can be specified by FQANs too

diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex
index 01d5339..9748415 100644 (file)
--- a/org.glite.lb.doc/src/LBAG-Installation.tex
+++ b/org.glite.lb.doc/src/LBAG-Installation.tex
@@ -136,16 +136,18 @@ transakce
 \TODO{Initial YAIM way only, rest in Sect.~\ref{maintain:index}}
 
 \subsubsection{Server superusers}
-
-Certain administrative operations (identified bellow when appropriate)
-on \LB server are privileged.
-When they are invoked remotely, a~special authorization is required.
-By default, the server identity (X509 certificate subject) is considered
-privileged.
-Additional subjects can be specified in \emph{superusers file},
-specified by \verb'--super-users-file' server option
-(one subject per line).
-After changing the file, the server has to be restarted.
+\label{inst:superusers}
+
+Certain administrative operations (identified below when appropriate) on \LB
+server are privileged and special authorization is required to invoke them.  By
+default, the \LB server identity (X509 certificate subject name) is considered
+privileged.  Additional administrator identitites can be specified in a
+\emph{superusers file}, specified by the \verb'--super-users-file' server
+option.  A client is granted superuser privileges if they present credentials
+matching the superusers specifications in the file.  The file consists of one
+or more lines, each one containing either a subject name or VOMS attribute(s)
+in the FQAN format (in the latter case the line must start with \verb'FQAN:').
+After changing the file, the server has to be restarted. 
 
 The default startup script checks for existence of 
 /opt/glite/etc/LB-super-users and uses it eventually.

diff --git a/org.glite.lb.doc/src/LBAG-Running.tex b/org.glite.lb.doc/src/LBAG-Running.tex
index 03cc1fb..518c5c9 100644 (file)
--- a/org.glite.lb.doc/src/LBAG-Running.tex
+++ b/org.glite.lb.doc/src/LBAG-Running.tex
@@ -161,7 +161,7 @@ and the server started up.
 Then the dump files can be loaded back with complementary
 \verb'glite-lb-load' utility.
 
-Server superuser privileges (X509 credentials) are required to run \verb'glite-lb-dump' and \verb'glite-lb-load'.
+Server superuser privileges (see section~\ref{inst:superusers}) are required to run \verb'glite-lb-dump' and \verb'glite-lb-load'.
 Dumping the events does not interfere with normal server operation.
 
 This backup strategy can interfere with too aggressive setting of old
@@ -209,7 +209,7 @@ It is recommended (and the default YAIM setup does so, via
 the \verb'glite-lb-export.sh' wrapper) to run the purge
 command periodically from cron.
 
-Server superuser privileges (X509 credentials) are required to run \verb'glite-lb-purge'.
+Server superuser privileges (see section~\ref{inst:superusers}) are required to run \verb'glite-lb-purge'.
 
 If the server database has already grown huge, the purge operation can take
 rather long and hit the \LB server operation timeout. At client side, \ie the