[Pacemaker] Multi-level ACLs for the CIB
Andrew Beekhof
andrew at beekhof.net
Thu Feb 4 02:15:45 EST 2010
On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>
>
> Andrew Beekhof wrote:
>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>
>> [snip]
>>
>>> A configuration example:
>>> ..
>>> <acls>
>>> <role id="operator">
>>> <write id="operator-write-0" tag="nodes"/>
>>> <write id="operator-write-1" tag="status"/>
>>> </role>
>>> <role id="monitor">
>>> <read id="monitor-read-0" tag="nodes"/>
>>> <read id="monitor-read-1" tag="status"/>
>>> </role>
>>
>> [snip]
>>
>> Quick question, have you tried using crm_mon with a configuration like this?
>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
> Indeed. I ever thought that the information from "<status..." could be enough
> for monitoring, while then realized both of the nodes and resources from
> "<configuration..." are required.
>
>>
>> Might want to think about how to deal with that...
> We could either give some well defined ACLs for that, or is it possible that
> crm_mon doesn't dependent on the info from "configration"?
No, crm_mon definitely needs the full configuration.
More information about the Pacemaker
mailing list