[Pacemaker] Multi-level ACLs for the CIB

Tue Feb 2 05:14:29 UTC 2010

Hi,

Sorry for delaying this update so long because of some other works.

The ACL implementation has been improved. As we discussed, two new
functionalities has been added:
* The access control on attributes of elements
* xpath based ACL.

The schema and the corresponding codes has been simplified:

  <define name="element-acls">
    <element name="acls">
      <zeroOrMore>
	<choice>
	  <element name="user">
	    <attribute name="id"><text/></attribute>
	    <choice>
	      <attribute name="role"><data type="IDREF"/></attribute>
	      <zeroOrMore>
		<ref name="element-acl"/>
	      </zeroOrMore>
	    </choice>
	  </element>
	  <element name="role">
	    <attribute name="id"><data type="ID"/></attribute>
	    <zeroOrMore>
	      <ref name="element-acl"/>
	    </zeroOrMore>
	  </element>
	</choice>
      </zeroOrMore>
    </element>
  </define>

  <define name="element-acl">
    <choice>
      <element name="read">
	<ref name="attribute-acl"/>
      </element>
      <element name="write">
	<ref name="attribute-acl"/>
      </element>
      <element name="deny">
	<ref name="attribute-acl"/>
      </element>
    </choice>
  </define>

  <define name="attribute-acl">
    <attribute name="id"><data type="ID"/></attribute>
      <choice>
	<attribute name="tag"><text/></attribute>
	<attribute name="ref"><data type="IDREF"/></attribute>
	<group>
	  <attribute name="tag"><text/></attribute>
	  <attribute name="ref"><data type="IDREF"/></attribute>
	</group>
	<attribute name="xpath"><text/></attribute>
      </choice>
      <optional>
	<attribute name="attribute"><text/></attribute>
      </optional>
  </define>

A configuration example:
..
<acls>
  <role id="operator">
    <write id="operator-write-0" tag="nodes"/>
    <write id="operator-write-1" tag="status"/>
  </role>
  <role id="monitor">
    <read id="monitor-read-0" tag="nodes"/>
    <read id="monitor-read-1" tag="status"/>
  </role>
  <user id="gaoyan">
    <write id="gaoyan-write-0" xpath="//primitive[@id='rsc0']//nvpair[@name='target-role']"/>
    <deny id ="gaoyan-deny-0" xpath="//primitive[@id='rsc0']//nvpair[@name='password']" attribute="value"/>
    <read id="gaoyan-read-0" tag="primitive" ref="rsc0"/>
    <write id="gaoyan-write-1 ref="location_rsc0"/>
    <write id="gaoyan-write-2" tag="nodes"/>
    <write id="gaoyan-write-3" tag="status"/>
  </user>
  <user id="bob" role="operator"/>
  <user id="1002" role="monitor"/>
</acls>
..

As Andrew suggested:
- Roles have ACLs
- Users can be assigned EITHER a role OR a set of ACLs

Besides, An user "id" could be a system username or a numeric uid.

For crm shell, perhaps the syntax would be like:

user <id> acl_obj [acl_obj ...]
user <id> <role_id>
role <id> acl_obj [acl_obj ...]

acl_obj ::
  mode tag <tag_name> [attribute]
  mode ref <ref_id> [attribute]
  mode tag <tag_name> ref <ref_id> [attribute]
  mode xpath <path> [attribute]

mode:: read | write | deny

Attached the updated patch. Please help review it.
Thanks!

Regards,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pacemaker-cib-acl.diff
Type: text/x-patch
Size: 30457 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20100202/6ee751a0/attachment-0001.bin>