[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Thu Feb 4 16:24:41 UTC 2010


On 02/04/10 21:01, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao <ygao at novell.com> wrote:
>>
>>
>> On 02/04/10 15:15, Andrew Beekhof wrote:
>>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>>>>
>>>>
>>>> Andrew Beekhof wrote:
>>>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>>>>
>>>>> [snip]
>>>>>
>>>>>> A configuration example:
>>>>>> ..
>>>>>> <acls>
>>>>>>  <role id="operator">
>>>>>>    <write id="operator-write-0" tag="nodes"/>
>>>>>>    <write id="operator-write-1" tag="status"/>
>>>>>>  </role>
>>>>>>  <role id="monitor">
>>>>>>    <read id="monitor-read-0" tag="nodes"/>
>>>>>>    <read id="monitor-read-1" tag="status"/>
>>>>>>  </role>
>>>>>
>>>>> [snip]
>>>>>
>>>>> Quick question, have you tried using crm_mon with a configuration like this?
>>>>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
>>>> Indeed. I ever thought that the information from "<status..." could be enough
>>>> for monitoring, while then realized both of the nodes and resources from
>>>> "<configuration..." are required.
>>>>
>>>>>
>>>>> Might want to think about how to deal with that...
>>>> We could either give some well defined ACLs for that, or is it possible that
>>>> crm_mon doesn't dependent on the info from "configration"?
>>>
>>> No, crm_mon definitely needs the full configuration.
>> Well, so perhaps we could usually define the roles as:
>>
>> ..
>> <acls>
>>  <role id="operator">
>>    <write id="operator-write-0" tag="nodes"/>
>>    <write id="operator-write-1" tag="status"/>
>>    <read id="operator-read-0" tag="cib"/>
>>  </role>
>>  <role id="monitor">
>>    <read id="monitor-read-0" tag="cib"/>
>>  </role>
>> ..
> 
> And put exclusions for things like passwords before  the read for the whole cib?
Yes. We should specify any "deny" and "write" objects before it.

Thanks,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.




More information about the Pacemaker mailing list