From edf5414c89366ac751fe6b669f595efa93815a04 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20Kou=C5=99il?= Date: Wed, 20 Aug 2008 17:19:03 +0000 Subject: [PATCH] FQAN support in LB 2.0 --- org.glite.lb.doc/src/LBUG-Introduction.tex | 17 ++++++++++------- org.glite.lb.doc/src/change_acl.tex | 9 +++++---- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/org.glite.lb.doc/src/LBUG-Introduction.tex b/org.glite.lb.doc/src/LBUG-Introduction.tex index 7b9ae8f..687e0ea 100644 --- a/org.glite.lb.doc/src/LBUG-Introduction.tex +++ b/org.glite.lb.doc/src/LBUG-Introduction.tex @@ -582,13 +582,16 @@ proxy certificates. By default, access to information about a job is only allowed to the user who submitted the job (\ie the job owner). The job owner can also assign an access control list to his or job in the \LB specifying other users who are -allowed to read the data from \LB. The ACLs are internally represented in -the GridSite GACL format~\cite{gacl2} and are stored in the \LB -database along with the job information. The stored ACL are checked on each -query requesting the data. The ACLs are under control of the job owner, who -can add and remove entries in the ACL arbitrarily using the \LB API or -command-line tools. Each entry of an ACL can specify either a user subject -name or a name of a VOMS group. +allowed to read the data from \LB. The ACLs are represented in +the GridSite GACL format~\cite{gacl2} and are stored in the \LB database +along with the job information. The stored ACL are checked on each query +requesting the data. The ACLs are under control of the job owner, who can +add and remove entries in the ACL arbitrarily using the \LB API or +command-line tools (see~\ref{e:change-acl}). Each entry of an ACL can +specify either a user subject name, a name of a VOMS group, or an attribute +specified in the Full qualified attribute name format (the FQAN support is +only available in \LBnew). An ACL assigned to a job is returned as part of +job status information. Besides of using the ACLs, the \LB administrator can also specify a~set of privileged users with access to all job records on a particular \LB server diff --git a/org.glite.lb.doc/src/change_acl.tex b/org.glite.lb.doc/src/change_acl.tex index ebc07c9..da0b586 100644 --- a/org.glite.lb.doc/src/change_acl.tex +++ b/org.glite.lb.doc/src/change_acl.tex @@ -19,10 +19,11 @@ where \begin{tabularx}{\textwidth}{>{\texttt}lX} & specifies the job to change \\ & specifies the user to use, can be either an X.500 name - (subject name) or a VOMS group (of the form VO:Group)\\ - & \texttt{0} or \texttt{1}, indicating \texttt{user\_id} - specifies X.500 name or VOMS group, respectively \\ - & \texttt{0} or \texttt{1}, indicating the user is + (subject name), a VOMS group (of the form VO:Group), or a Full + qualified attribute name (FQAN). FQANs are only supported in \LBnew. \\ + & \texttt{0}, \texttt{1}, or \texttt{2} indicating \texttt{user\_id} + specifies X.500 name, VOMS group, or FQAN, respectively \\ + & \texttt{0} or \texttt{1} indicating the user is \textit{allowed} or \textit{denied}, respectively \\ & \texttt{0} or \texttt{1} indicating the record carried in the event shall be added or removed, respectively from -- 1.8.2.3