[Pacemaker] Multi-level ACLs for the CIB
Andrew Beekhof
andrew at beekhof.net
Wed Dec 9 09:42:07 UTC 2009
On Tue, Dec 8, 2009 at 2:16 PM, Lars Marowsky-Bree <lmb at suse.de> wrote:
> On 2009-12-08T09:22:52, Andrew Beekhof <andrew at beekhof.net> wrote:
>
>> > Basically, we'd like to see an ACL mechanism. It would be implemented at
>> > the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
>> > could benefit. Clients are authenticated via PAM, so we can use uid/gid
>> > for identification.
>>
>> Actually you probably can't do this.
>> Daemons (like the cib) which are not running as root can only
>> authenticate the username/password of the user they're running as.
>
> Well, the non-root internal uids/daemons would of course get exceptions
> just like root, this is about external interfaces.
Wait a second... where are you planning to do the authentication?
>
>> > <deny ref="stonith1-instance_attributes-ilo_password" />
>> > <read ref="stonith1" />
>> > <read ref="#status" />
>> Please, no hashes here.
>
> This stems from the fact that the status XML element doesn't have an id;
> but for general access to specific sections (XML elements) it may be
> worth adding a section=(...) attribute instead of a special prefix in
> the ref="" attribute.
Agreed.
More information about the Pacemaker
mailing list