From ee83174e9b22547745c0105080a2fa267e042d8f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20Kou=C5=99il?= Date: Wed, 8 Jul 2009 15:51:43 +0000 Subject: [PATCH] Changed to reflect the symbolic names for ACL mgmt introduced in LB2.0 --- org.glite.lb.doc/src/change_acl.tex | 78 ++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 40 deletions(-) diff --git a/org.glite.lb.doc/src/change_acl.tex b/org.glite.lb.doc/src/change_acl.tex index da0b586..7201797 100644 --- a/org.glite.lb.doc/src/change_acl.tex +++ b/org.glite.lb.doc/src/change_acl.tex @@ -4,77 +4,75 @@ In order to change the Access Control List (ACL) for a job, a special event \verb'ChangeACL' is used. This event can be logged by the job owner using the \verb'glite-lb-logevent' command (see also Sect.~\ref{glite-lb-logevent}). -General template for changing the ACL is as follows: +The general template for changing the ACL is as follows: \begin{verbatim} -glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 - -j +glite-lb-logevent -e ChangeACL -s UserInterface -p -j --user_id --user_id_type + --permission READ --permission_type --operation \end{verbatim} where \begin{tabularx}{\textwidth}{>{\texttt}lX} - & specifies the job to change \\ - & specifies the user to use, can be either an X.500 name +\verb'' & specifies the job to change access to\\ +\verb'' & specifies the user to grant or revoke permission. The + parameter can be either an X.500 name (subject name), a VOMS group (of the form VO:Group), or a Full - qualified attribute name (FQAN). FQANs are only supported in \LBnew. \\ - & \texttt{0}, \texttt{1}, or \texttt{2} indicating \texttt{user\_id} - specifies X.500 name, VOMS group, or FQAN, respectively \\ - & \texttt{0} or \texttt{1} indicating the user is - \textit{allowed} or \textit{denied}, respectively \\ - & \texttt{0} or \texttt{1} indicating the record carried in - the event shall be added or removed, respectively from - the ACL \\ + qualified attribute name (FQAN). \\ +\verb'' & indicates the type of the user\_id given above. + \verb'DN', \verb'GROUP', and \verb'FQAN' can be given to + specify X.500 name, VOMS group, or FQAN, respectively \\ +\verb'' & ACL permission to change, currently only \verb'READ' is + supported. \\ +\verb'' & Type of permission requested. \verb'ALLOW' or + \verb'DENY' can be specified. \\ +\verb'' & Operation requested to be performed with ACL. \verb'ADD' + or \verb'REMOVE' can be specified. \\ \end{tabularx} - -Adding a user specified by his or her subject name to the ACL \\ -(\verb'user_id' = subject name, \verb'user_id_type' = 0, -\verb'permission_type' = 0, \verb'operation' = 0): +Adding a user specified by his or her subject name to the ACL (\ie granting +access rights to another user): \begin{verbatim} -glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \ - -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \ +glite-lb-logevent -e ChangeACL -s UserInterface -p -j \ --user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \ - --user_id_type 0 --permission_type 0 --operation 0 + --user_id_type DN --permission READ --permission_type ALLOW \ + --operation ADD \end{verbatim} -Removing a user specified by his or her subject name from the ACL \\ -(\verb'user_id' = subject name, \verb'user_id_type' = 0, -\verb'permission_type' = 0, \verb'operation' = 1): +Removing a user specified by his or her subject name from the ACL (\ie +revoking access right to another user): \begin{verbatim} -glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \ - -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \ +glite-lb-logevent -e ChangeACL -s UserInterface -p -j \ --user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \ - --user_id_type 0 --permission_type 0 --operation 1 + --user_id_type DN --permission READ --permission_type ALLOW \ + --operation REMOVE \end{verbatim} -Adding a VOMS group to the ACL \\ -(\verb'user_id' = VOMS group, \verb'user_id_type' = 1, -\verb'permission_type' = 0, \verb'operation' = 0): +Adding a VOMS attribute to the ACL: \begin{verbatim} -glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \ - -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \ - --user_id 'VOCE:/VOCE' \ - --user_id_type 1 --permission_type 0 --operation 0 +glite-lb-logevent -e ChangeACL -s UserInterface -p -j \ + --user_id '/VOCE/Role=Administrator' --user_id_type FQAN \ + --permission READ --permission_type ALLOW \ + --operation ADD \end{verbatim} -Denying a particular user from accessing information about the job, can be -combined e.g. with VOMS groups (\verb'user_id' = subject name, -\verb'user_id_type' = 0, \verb'permission_type' = 1, \verb'operation' = 0): +Note that \LBold supported only using VOMS group names, not full FQANs, +whose support has been introduced only in \LBnew. \LBold also did not +allowed the users to use symbolic names for the values specifying ACL +setting and integers must be used instead. For example, to grant access +right on a \LBold server one has to use following syntax: \begin{verbatim} -glite-lb-logevent -e ChangeACL -s UserInterface -p --permission 1 \ - -j https://scientific.civ.zcu.cz:9000/PC8Y6jBitHt_fKMTEKFnVw \ +glite-lb-logevent -e ChangeACL -s UserInterface -p -j \ --user_id '/O=CESNET/O=Masaryk University/CN=Daniel Kouril' \ - --user_id_type 0 --permission_type 1 --operation 0 + --user_id_type 0 --permission 1 --permission_type 0 --operation 0 \end{verbatim} - -- 1.8.2.3