[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Wed Jan 13 12:40:15 UTC 2010
Hi Dejan,
Dejan Muhamedagic wrote:
> Hi Yan,
>
> On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
>>>> Hi Dejan,
>>>>
>>>> Dejan Muhamedagic wrote:
>>>>> Hi,
>>>>>
>>>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>>>>>> ..
>>>>>> <acls>
>>>>>> <role id="admin">
>>>>>> <write id="admin-write-0" tag="configuration"/>
>>>>>> <write id="admin-write-1" tag="status"/>
>>>>>> </role>
>>>>>> <role id="operator">
>>>>>> <write id="operator-write-0" tag="nodes"/>
>>>>>> <write id="operator-write-1" tag="status"/>
>>>>>> </role>
>>>>>> <role id="monitor">
>>>>>> <read id="operator-read-0" tag="nodes"/>
>>>>>> <read id="monitor-read-1" tag="status"/>
>>>>>> <members>
>>>>>> <uid id="ygao"/>
>>>>>> </members>
>>>>>> </role>
>>>>>> <user id="ygao">
>>>>>> <write id="ygao-write-0" ref="rsc0-meta_attributes-target-role"/>
>>>>>> <deny id="gaoyan-deny-0" ref="rsc0-instance_attributes-password"/>
> [...]
>>>>>> The user "ygao" is a system account.
>>>>>> We could define several roles as we wish, such as "admin",
>>>>>> "operator" and "monitor", which could contain a member list
>>>>>> respectively if more than one user have the same permissions. A
>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>> definition.
>>>>> I find this a bit confusing: roles have members and users can
>>>>> reference roles. Shouldn't one of the two suffice?
>>>> An user can reference one or more roles to combine the rules with his
>>>> particular definition. But if several users are supposed to have the
>>>> completely same permissions, the "members" under a "role" could avoid
>>>> to define the users via separated "<user ..." one by one.
>>>>
>>>>> The way it is
>>>>> now, it's also hard to follow.
>>>> What if to separate it into two cases for an user definition in crm shell:
>>>> 1. "is" a role
>>>> 2. "ref" one role or more roles.
>>> But, let's try to forget for a moment the shell or CRM in general.
>>> I'm trying to understand why a role reference makes things
>>> better. Actually, it would be great if you could give an example
>>> which would clearly show an advantage of such use.
>> For example:
>> User A has the right to operate rsc1, while user B has the right to
>> operate rsc2. Besides that, we might want to grant them some other same
>> permissions, for instance allowing them to monitor the status of the cluster.
>> So we could define a common role "monitor" for reference instead
>> of defining similar rules repeatedly.
>
> Where's the difference between this and adding users to "monitor"
> (the member element)?
If an user only references one role, and doesn't have other ACLs.
There's no difference except making the XML more concise:-)
If an user has other specific ACLs besides the role reference, he could
interleave them as his needs.
Regards,
Yan
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
More information about the Pacemaker
mailing list