[Pacemaker] Multi-level ACLs for the CIB

Dejan Muhamedagic dejanmm at fastmail.fm
Wed Jan 13 05:07:35 EST 2010 

Hi,

On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
[...]
> >>>>> The user "ygao" is a system account.
> >>>>> We could define several roles as we wish, such as "admin",
> >>>>> "operator" and "monitor", which could contain a member list
> >>>>> respectively if more than one user have the same permissions. A
> >>>>> role also could be referenced by a particular "<user ...>"
> >>>>> definition.
> >>>> I find this a bit confusing: roles have members and users can
> >>>> reference roles. Shouldn't one of the two suffice?
> >>> An user can reference one or more roles to combine the rules with his
> >>> particular definition.
> 
> I don't think you want that.
> "One user, one role" would be my advice.

Wouldn't that be too restrictive?

> Otherwise you have all sorts of potentially non-obvious cases to deal with.
> Like if roleA allows modification of an attribute and roleB disallows
> it, and the user has both.

First match wins: the result is undefined, i.e. depends on the
order of roles. Which we apparently don't have. Unless the member
element is dropped in favour of role references.

> Seriously, make the admin do the normalization (otherwise you have to
> do it for every invocation which is going to slow you down).
> 
> This is the schema I'd suggest
> 
> +  <define name="element-acls">
> +    <element name="acls">
> +      <zeroOrMore>
> +	<choice>
> +	  <element name="user">
> +	    <attribute name="id"><text/></attribute>
> +	    <choice>
> +	      <attribute name="role"><data type="IDREF"/></attribute>
> +	      <zeroOrMore>
> +              <ref name="element-acl"/>
> +	      </zeroOrMore>
> +	    </ichoice>
> +	  </element>
> +	  <element name="role">
> +	    <attribute name="id"><data type="ID"/></attribute>
> +	    <zeroOrMore>
> +            <ref name="element-acl"/>
> +	    </zeroOrMore>
> +	  </element>
> +	</choice>
> +      </zeroOrMore>
> +    </element>
> +  </define>
> 
> In english:
> - Roles have ACLs
> - Users can be assigned EITHER a role OR a set of ACLs

This is a further simplification. Though it would make the
configuration more straightforward and easier to understand.

Thanks,

Dejan

More information about the Pacemaker mailing list