[Pacemaker] Multi-level ACLs for the CIB

Andrew Beekhof andrew at beekhof.net
Thu Jan 14 09:42:00 UTC 2010


On Wed, Jan 13, 2010 at 11:07 AM, Dejan Muhamedagic <dejanmm at fastmail.fm> wrote:
> Hi,
>
> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
> [...]
>> I don't think you want that.
>> "One user, one role" would be my advice.
>
> Wouldn't that be too restrictive?

I don't see why.  It just requires the admin to do the normalization
of roleD = roleA || roleB && roleC (or whatever).
I'd not be expecting the ACLs to change often enough for this to be an
onerous task.

And if the admin specifies exactly what they want, there's no
possibility for unexpected (for all variations of unexpected)
behavior.
Plus its computationally faster.

>> Otherwise you have all sorts of potentially non-obvious cases to deal with.
>> Like if roleA allows modification of an attribute and roleB disallows
>> it, and the user has both.
>
> First match wins: the result is undefined,

My point exactly, too much scope for admin-error and non-intuitive
ordering issues (like we have for groups).
KISS - we're not building fort knox here.

[snip]

>> In english:
>> - Roles have ACLs
>> - Users can be assigned EITHER a role OR a set of ACLs
>
> This is a further simplification. Though it would make the
> configuration more straightforward and easier to understand.

exactly :-)




More information about the Pacemaker mailing list