[Pacemaker] Multi-level ACLs for the CIB

Dejan Muhamedagic dejanmm at fastmail.fm
Wed Jan 13 04:11:45 EST 2010 

Hi Yan,

On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote:
> Dejan Muhamedagic wrote:
> > Hi,
> > 
> > On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
> >> Hi Dejan,
> >>
> >> Dejan Muhamedagic wrote:
> >>> Hi,
> >>>
> >>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> >>>> ..
> >>>>     <acls>
> >>>>       <role id="admin">
> >>>>         <write id="admin-write-0" tag="configuration"/>
> >>>>         <write id="admin-write-1" tag="status"/>
> >>>>       </role>
> >>>>       <role id="operator">
> >>>>         <write id="operator-write-0" tag="nodes"/>
> >>>>         <write id="operator-write-1" tag="status"/>
> >>>>       </role>
> >>>>       <role id="monitor">
> >>>>         <read id="operator-read-0" tag="nodes"/>
> >>>>         <read id="monitor-read-1" tag="status"/>
> >>>>         <members>
> >>>>           <uid id="ygao"/>
> >>>>         </members>
> >>>>       </role>
> >>>>       <user id="ygao">
> >>>>         <write id="ygao-write-0" ref="rsc0-meta_attributes-target-role"/>
> >>>>         <deny id="gaoyan-deny-0" ref="rsc0-instance_attributes-password"/>
[...]
> >>>> The user "ygao" is a system account.
> >>>> We could define several roles as we wish, such as "admin",
> >>>> "operator" and "monitor", which could contain a member list
> >>>> respectively if more than one user have the same permissions. A
> >>>> role also could be referenced by a particular "<user ...>"
> >>>> definition.
> >>> I find this a bit confusing: roles have members and users can
> >>> reference roles. Shouldn't one of the two suffice? 
> >> An user can reference one or more roles to combine the rules with his
> >> particular definition. But if several users  are supposed to have the
> >> completely same permissions, the "members" under a "role" could avoid
> >> to define the users via separated "<user ..." one by one.
> >>
> >>> The way it is
> >>> now, it's also hard to follow.
> >> What if to separate it into two cases for an user definition in crm shell:
> >> 1. "is" a role
> >> 2. "ref" one role or more roles.
> > 
> > But, let's try to forget for a moment the shell or CRM in general.
> > I'm trying to understand why a role reference makes things
> > better. Actually, it would be great if you could give an example
> > which would clearly show an advantage of such use.
> For example:
> User A has the right to operate rsc1, while user B has the right to
> operate rsc2. Besides that, we might want to grant them some other same
> permissions, for instance allowing them to monitor the status of the cluster.
> So we could define a common role "monitor" for reference instead
> of defining similar rules repeatedly.

Where's the difference between this and adding users to "monitor"
(the member element)?

Thanks,

Dejan

More information about the Pacemaker mailing list