[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Wed Jan 13 07:31:44 EST 2010 

Andrew Beekhof wrote:
> On Tue, Jan 12, 2010 at 1:06 PM, Yan Gao <ygao at novell.com> wrote:
>> Andrew Beekhof wrote:
>>> On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic <dejanmm at fastmail.fm> wrote:
>>>> Hi,
>>>>
>>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>>>>> BTW, there're some changes comparing to the original design:
>>>>> [...]
>>>>> There could be an "attribute" for an ACL object in the original design :
>>>>> <write id=... ref="rsc0-meta_attributes-target-role" attribute="value" />
>>>>>
>>>>> it was supposed to mean user could only write the "value" attribute of
>>>>> "rsc0-meta_attributes-target-role" element.
>>>>>
>>>>> I didn't implement it because there's no good way for now for the ACL
>>>>> checker to recognize if a modification would change/add/remove any
>>>>> particular attributes of a XML element. And I'm thinking if it's
>>>>> necessary to implement it... Your thoughts?
>>> Check the diff?
>> It now does check the diff. Besides the "__crm_diff_marker__" set for add/remove,
>> I also add a marker for "modified". But one modification could modify several of its
>> attributes. So for recognizing those, we might need to add multiple markers for one element?
> 
> It doesn't make sense to me why you'd need to do that, it can be inferred.
> 
> If an attribute is only in diff-added - then it was created.
> If an attribute is only in diff-removed - then it was deleted.
> If an attribute is in both it was modified
Right, I misunderstood it. we don't need a marker for "modified".
In the diff, any appearance of an attribute except "id" means the
element was modified.

I'll implement access control on particular attribute of a XML element.

> 
> te_callbacks.c has similar logic IIRC
> 
> If you see __crm_diff_marker__, then everything from there down was
> affected (either created or deleted, its not set for modify).
> And xpath will still work because the diff includes the path back to
> the cib root.
> 

Thanks,
  Yan

-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list