[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Wed Jan 13 12:34:57 UTC 2010 

Andrew Beekhof wrote:
> On Wed, Jan 13, 2010 at 6:21 AM, Yan Gao <ygao at novell.com> wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
>>>> Hi Dejan,
>>>>
>>>> Dejan Muhamedagic wrote:
>>>>>> The user "ygao" is a system account.
>>>>>> We could define several roles as we wish, such as "admin",
>>>>>> "operator" and "monitor", which could contain a member list
>>>>>> respectively if more than one user have the same permissions. A
>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>> definition.
>>>>> I find this a bit confusing: roles have members and users can
>>>>> reference roles. Shouldn't one of the two suffice?
>>>> An user can reference one or more roles to combine the rules with his
>>>> particular definition.
> 
> I don't think you want that.
> "One user, one role" would be my advice.
> 
> Otherwise you have all sorts of potentially non-obvious cases to deal with.
> Like if roleA allows modification of an attribute and roleB disallows
> it, and the user has both.
Actually that's obvious for the ACL checker and filter. They only care about
"the first match" ;-)

Indeed, the administrator must be very careful when configuring ACLs.

> 
> Seriously, make the admin do the normalization (otherwise you have to
> do it for every invocation which is going to slow you down).
> 
> This is the schema I'd suggest
> 
> +  <define name="element-acls">
> +    <element name="acls">
> +      <zeroOrMore>
> +	<choice>
> +	  <element name="user">
> +	    <attribute name="id"><text/></attribute>
> +	    <choice>
> +	      <attribute name="role"><data type="IDREF"/></attribute>
> +	      <zeroOrMore>
> +              <ref name="element-acl"/>
> +	      </zeroOrMore>
> +	    </ichoice>
> +	  </element>
> +	  <element name="role">
> +	    <attribute name="id"><data type="ID"/></attribute>
> +	    <zeroOrMore>
> +            <ref name="element-acl"/>
> +	    </zeroOrMore>
> +	  </element>
> +	</choice>
> +      </zeroOrMore>
> +    </element>
> +  </define>
> 
> In english:
> - Roles have ACLs
> - Users can be assigned EITHER a role OR a set of ACLs
> 
> 
> Oh, and can you explain this please:
> 
> +	  <choice>
> +	    <attribute name="ref"><data type="IDREF"/></attribute>
> +	    <attribute name="tag"><text/></attribute>
> +	    <group>
> +	      <attribute name="ref"><data type="IDREF"/></attribute>
> +	      <attribute name="tag"><text/></attribute>
> +	    </group>
> +	  </choice>
> 
> Why would you want a reference and a tag?
For example, an id "rsc0" could be a "primitive" or a "lrm_resource".
User may want do access control for them respectively.

Regards,
  Yan

-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list