From: Daniel KouĊ™il Date: Thu, 24 Jul 2008 13:34:24 +0000 (+0000) Subject: super-users can be specified by FQANs too X-Git-Tag: merge_316_6_after~64 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=ee5d98f615a19b88aafecf3a012dfb62d7bf2331;p=jra1mw.git super-users can be specified by FQANs too --- diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex index 01d5339..9748415 100644 --- a/org.glite.lb.doc/src/LBAG-Installation.tex +++ b/org.glite.lb.doc/src/LBAG-Installation.tex @@ -136,16 +136,18 @@ transakce \TODO{Initial YAIM way only, rest in Sect.~\ref{maintain:index}} \subsubsection{Server superusers} - -Certain administrative operations (identified bellow when appropriate) -on \LB server are privileged. -When they are invoked remotely, a~special authorization is required. -By default, the server identity (X509 certificate subject) is considered -privileged. -Additional subjects can be specified in \emph{superusers file}, -specified by \verb'--super-users-file' server option -(one subject per line). -After changing the file, the server has to be restarted. +\label{inst:superusers} + +Certain administrative operations (identified below when appropriate) on \LB +server are privileged and special authorization is required to invoke them. By +default, the \LB server identity (X509 certificate subject name) is considered +privileged. Additional administrator identitites can be specified in a +\emph{superusers file}, specified by the \verb'--super-users-file' server +option. A client is granted superuser privileges if they present credentials +matching the superusers specifications in the file. The file consists of one +or more lines, each one containing either a subject name or VOMS attribute(s) +in the FQAN format (in the latter case the line must start with \verb'FQAN:'). +After changing the file, the server has to be restarted. The default startup script checks for existence of /opt/glite/etc/LB-super-users and uses it eventually. diff --git a/org.glite.lb.doc/src/LBAG-Running.tex b/org.glite.lb.doc/src/LBAG-Running.tex index 03cc1fb..518c5c9 100644 --- a/org.glite.lb.doc/src/LBAG-Running.tex +++ b/org.glite.lb.doc/src/LBAG-Running.tex @@ -161,7 +161,7 @@ and the server started up. Then the dump files can be loaded back with complementary \verb'glite-lb-load' utility. -Server superuser privileges (X509 credentials) are required to run \verb'glite-lb-dump' and \verb'glite-lb-load'. +Server superuser privileges (see section~\ref{inst:superusers}) are required to run \verb'glite-lb-dump' and \verb'glite-lb-load'. Dumping the events does not interfere with normal server operation. This backup strategy can interfere with too aggressive setting of old @@ -209,7 +209,7 @@ It is recommended (and the default YAIM setup does so, via the \verb'glite-lb-export.sh' wrapper) to run the purge command periodically from cron. -Server superuser privileges (X509 credentials) are required to run \verb'glite-lb-purge'. +Server superuser privileges (see section~\ref{inst:superusers}) are required to run \verb'glite-lb-purge'. If the server database has already grown huge, the purge operation can take rather long and hit the \LB server operation timeout. At client side, \ie the