[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Thu Feb 4 07:51:20 UTC 2010
On 02/04/10 15:15, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>>
>>
>> Andrew Beekhof wrote:
>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>>
>>> [snip]
>>>
>>>> A configuration example:
>>>> ..
>>>> <acls>
>>>> <role id="operator">
>>>> <write id="operator-write-0" tag="nodes"/>
>>>> <write id="operator-write-1" tag="status"/>
>>>> </role>
>>>> <role id="monitor">
>>>> <read id="monitor-read-0" tag="nodes"/>
>>>> <read id="monitor-read-1" tag="status"/>
>>>> </role>
>>>
>>> [snip]
>>>
>>> Quick question, have you tried using crm_mon with a configuration like this?
>>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
>> Indeed. I ever thought that the information from "<status..." could be enough
>> for monitoring, while then realized both of the nodes and resources from
>> "<configuration..." are required.
>>
>>>
>>> Might want to think about how to deal with that...
>> We could either give some well defined ACLs for that, or is it possible that
>> crm_mon doesn't dependent on the info from "configration"?
>
> No, crm_mon definitely needs the full configuration.
Well, so perhaps we could usually define the roles as:
..
<acls>
<role id="operator">
<write id="operator-write-0" tag="nodes"/>
<write id="operator-write-1" tag="status"/>
<read id="operator-read-0" tag="cib"/>
</role>
<role id="monitor">
<read id="monitor-read-0" tag="cib"/>
</role>
..
Regards,
Yan
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
More information about the Pacemaker
mailing list