In order to change the Access Control List (ACL) for a job, a special event
\verb'ChangeACL' is used. This event can be logged by the job owner using the
\verb'glite-lb-logevent' command (see also Sect.~\ref{glite-lb-logevent}).
-General template for changing the ACL is as follows:
+The general template for changing the ACL is as follows:
\begin{verbatim}
-glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1
- -j <job_id>
+glite-lb-logevent -e ChangeACL -s UserInterface -p -j <job_id>
--user_id <user_id>
--user_id_type <user_id_type>
+ --permission READ
--permission_type <permission_type> --operation <operation>
\end{verbatim}
where
\begin{tabularx}{\textwidth}{>{\texttt}lX}
-<job\_id> & specifies the job to change \\
-<user\_id> & specifies the user to use, can be either an X.500 name
+\verb'<job_id>' & specifies the job to change access to\\
+\verb'<user_id>' & specifies the user to grant or revoke permission. The
+ parameter can be either an X.500 name
(subject name), a VOMS group (of the form VO:Group), or a Full
- qualified attribute name (FQAN). FQANs are only supported in \LBnew. \\
-<user\_id\_type> & \texttt{0}, \texttt{1}, or \texttt{2} indicating \texttt{user\_id}
- specifies X.500 name, VOMS group, or FQAN, respectively \\
-<permission\_type> & \texttt{0} or \texttt{1} indicating the user is
- \textit{allowed} or \textit{denied}, respectively \\
-<operation> & \texttt{0} or \texttt{1} indicating the record carried in
- the event shall be added or removed, respectively from
- the ACL \\
+ qualified attribute name (FQAN). \\
+\verb'<user_id_type>' & indicates the type of the user\_id given above.
+ \verb'DN', \verb'GROUP', and \verb'FQAN' can be given to
+ specify X.500 name, VOMS group, or FQAN, respectively \\
+\verb'<permission>' & ACL permission to change, currently only \verb'READ' is
+ supported. \\
+\verb'<permission_type>' & Type of permission requested. \verb'ALLOW' or
+ \verb'DENY' can be specified. \\
+\verb'<operation>' & Operation requested to be performed with ACL. \verb'ADD'
+ or \verb'REMOVE' can be specified. \\
\end{tabularx}
-
-Adding a user specified by his or her subject name to the ACL \\
-(\verb'user_id' = subject name, \verb'user_id_type' = 0,
-\verb'permission_type' = 0, \verb'operation' = 0):
+Adding a user specified by his or her subject name to the ACL (\ie granting
+access rights to another user):
\begin{verbatim}
-glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \
- -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \
+glite-lb-logevent -e ChangeACL -s UserInterface -p -j <job_id> \
--user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \
- --user_id_type 0 --permission_type 0 --operation 0
+ --user_id_type DN --permission READ --permission_type ALLOW \
+ --operation ADD
\end{verbatim}
-Removing a user specified by his or her subject name from the ACL \\
-(\verb'user_id' = subject name, \verb'user_id_type' = 0,
-\verb'permission_type' = 0, \verb'operation' = 1):
+Removing a user specified by his or her subject name from the ACL (\ie
+revoking access right to another user):
\begin{verbatim}
-glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \
- -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \
+glite-lb-logevent -e ChangeACL -s UserInterface -p -j <job_id> \
--user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \
- --user_id_type 0 --permission_type 0 --operation 1
+ --user_id_type DN --permission READ --permission_type ALLOW \
+ --operation REMOVE
\end{verbatim}
-Adding a VOMS group to the ACL \\
-(\verb'user_id' = VOMS group, \verb'user_id_type' = 1,
-\verb'permission_type' = 0, \verb'operation' = 0):
+Adding a VOMS attribute to the ACL:
\begin{verbatim}
-glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \
- -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \
- --user_id 'VOCE:/VOCE' \
- --user_id_type 1 --permission_type 0 --operation 0
+glite-lb-logevent -e ChangeACL -s UserInterface -p -j <job_id> \
+ --user_id '/VOCE/Role=Administrator' --user_id_type FQAN \
+ --permission READ --permission_type ALLOW \
+ --operation ADD
\end{verbatim}
-Denying a particular user from accessing information about the job, can be
-combined e.g. with VOMS groups (\verb'user_id' = subject name,
-\verb'user_id_type' = 0, \verb'permission_type' = 1, \verb'operation' = 0):
+Note that \LBold supported only using VOMS group names, not full FQANs,
+whose support has been introduced only in \LBnew. \LBold also did not
+allowed the users to use symbolic names for the values specifying ACL
+setting and integers must be used instead. For example, to grant access
+right on a \LBold server one has to use following syntax:
\begin{verbatim}
-glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \
- -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \
+glite-lb-logevent -e ChangeACL -s UserInterface -p -j <job_id> \
--user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \
- --user_id_type 0 --permission_type 1 --operation 0
+ --user_id_type 0 --permission 1 --permission_type 0 --operation 0
\end{verbatim}
-
git://scientific.zcu.cz / jra1mw.git / commitdiff