[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Wed Feb 3 22:52:30 EST 2010
Andrew Beekhof wrote:
> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>
> [snip]
>
>> A configuration example:
>> ..
>> <acls>
>> <role id="operator">
>> <write id="operator-write-0" tag="nodes"/>
>> <write id="operator-write-1" tag="status"/>
>> </role>
>> <role id="monitor">
>> <read id="monitor-read-0" tag="nodes"/>
>> <read id="monitor-read-1" tag="status"/>
>> </role>
>
> [snip]
>
> Quick question, have you tried using crm_mon with a configuration like this?
> I'm pretty sure you'll get nothing sensible as it can't find the resources.
Indeed. I ever thought that the information from "<status..." could be enough
for monitoring, while then realized both of the nodes and resources from
"<configuration..." are required.
>
> Might want to think about how to deal with that...
We could either give some well defined ACLs for that, or is it possible that
crm_mon doesn't dependent on the info from "configration"?
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
More information about the Pacemaker
mailing list