[Pacemaker] Multi-level ACLs for the CIB

Andrew Beekhof andrew at beekhof.net
Thu Feb 4 13:01:31 UTC 2010


On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao <ygao at novell.com> wrote:
>
>
> On 02/04/10 15:15, Andrew Beekhof wrote:
>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>>>
>>>
>>> Andrew Beekhof wrote:
>>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>>>
>>>> [snip]
>>>>
>>>>> A configuration example:
>>>>> ..
>>>>> <acls>
>>>>>  <role id="operator">
>>>>>    <write id="operator-write-0" tag="nodes"/>
>>>>>    <write id="operator-write-1" tag="status"/>
>>>>>  </role>
>>>>>  <role id="monitor">
>>>>>    <read id="monitor-read-0" tag="nodes"/>
>>>>>    <read id="monitor-read-1" tag="status"/>
>>>>>  </role>
>>>>
>>>> [snip]
>>>>
>>>> Quick question, have you tried using crm_mon with a configuration like this?
>>>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
>>> Indeed. I ever thought that the information from "<status..." could be enough
>>> for monitoring, while then realized both of the nodes and resources from
>>> "<configuration..." are required.
>>>
>>>>
>>>> Might want to think about how to deal with that...
>>> We could either give some well defined ACLs for that, or is it possible that
>>> crm_mon doesn't dependent on the info from "configration"?
>>
>> No, crm_mon definitely needs the full configuration.
> Well, so perhaps we could usually define the roles as:
>
> ..
> <acls>
>  <role id="operator">
>    <write id="operator-write-0" tag="nodes"/>
>    <write id="operator-write-1" tag="status"/>
>    <read id="operator-read-0" tag="cib"/>
>  </role>
>  <role id="monitor">
>    <read id="monitor-read-0" tag="cib"/>
>  </role>
> ..

And put exclusions for things like passwords before  the read for the whole cib?




More information about the Pacemaker mailing list