[Pacemaker] Multi-level ACLs for the CIB
Andrew Beekhof
andrew at beekhof.net
Thu Feb 4 13:01:31 UTC 2010
On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao <ygao at novell.com> wrote:
>
>
> On 02/04/10 15:15, Andrew Beekhof wrote:
>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>>>
>>>
>>> Andrew Beekhof wrote:
>>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>>>
>>>> [snip]
>>>>
>>>>> A configuration example:
>>>>> ..
>>>>> <acls>
>>>>> <role id="operator">
>>>>> <write id="operator-write-0" tag="nodes"/>
>>>>> <write id="operator-write-1" tag="status"/>
>>>>> </role>
>>>>> <role id="monitor">
>>>>> <read id="monitor-read-0" tag="nodes"/>
>>>>> <read id="monitor-read-1" tag="status"/>
>>>>> </role>
>>>>
>>>> [snip]
>>>>
>>>> Quick question, have you tried using crm_mon with a configuration like this?
>>>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
>>> Indeed. I ever thought that the information from "<status..." could be enough
>>> for monitoring, while then realized both of the nodes and resources from
>>> "<configuration..." are required.
>>>
>>>>
>>>> Might want to think about how to deal with that...
>>> We could either give some well defined ACLs for that, or is it possible that
>>> crm_mon doesn't dependent on the info from "configration"?
>>
>> No, crm_mon definitely needs the full configuration.
> Well, so perhaps we could usually define the roles as:
>
> ..
> <acls>
> <role id="operator">
> <write id="operator-write-0" tag="nodes"/>
> <write id="operator-write-1" tag="status"/>
> <read id="operator-read-0" tag="cib"/>
> </role>
> <role id="monitor">
> <read id="monitor-read-0" tag="cib"/>
> </role>
> ..
And put exclusions for things like passwords before the read for the whole cib?
More information about the Pacemaker
mailing list