[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Wed Jan 13 07:40:15 EST 2010 

Hi Dejan,

Dejan Muhamedagic wrote:
> Hi Yan,
> 
> On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
>>>> Hi Dejan,
>>>>
>>>> Dejan Muhamedagic wrote:
>>>>> Hi,
>>>>>
>>>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>>>>>> ..
>>>>>>     <acls>
>>>>>>       <role id="admin">
>>>>>>         <write id="admin-write-0" tag="configuration"/>
>>>>>>         <write id="admin-write-1" tag="status"/>
>>>>>>       </role>
>>>>>>       <role id="operator">
>>>>>>         <write id="operator-write-0" tag="nodes"/>
>>>>>>         <write id="operator-write-1" tag="status"/>
>>>>>>       </role>
>>>>>>       <role id="monitor">
>>>>>>         <read id="operator-read-0" tag="nodes"/>
>>>>>>         <read id="monitor-read-1" tag="status"/>
>>>>>>         <members>
>>>>>>           <uid id="ygao"/>
>>>>>>         </members>
>>>>>>       </role>
>>>>>>       <user id="ygao">
>>>>>>         <write id="ygao-write-0" ref="rsc0-meta_attributes-target-role"/>
>>>>>>         <deny id="gaoyan-deny-0" ref="rsc0-instance_attributes-password"/>
> [...]
>>>>>> The user "ygao" is a system account.
>>>>>> We could define several roles as we wish, such as "admin",
>>>>>> "operator" and "monitor", which could contain a member list
>>>>>> respectively if more than one user have the same permissions. A
>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>> definition.
>>>>> I find this a bit confusing: roles have members and users can
>>>>> reference roles. Shouldn't one of the two suffice? 
>>>> An user can reference one or more roles to combine the rules with his
>>>> particular definition. But if several users  are supposed to have the
>>>> completely same permissions, the "members" under a "role" could avoid
>>>> to define the users via separated "<user ..." one by one.
>>>>
>>>>> The way it is
>>>>> now, it's also hard to follow.
>>>> What if to separate it into two cases for an user definition in crm shell:
>>>> 1. "is" a role
>>>> 2. "ref" one role or more roles.
>>> But, let's try to forget for a moment the shell or CRM in general.
>>> I'm trying to understand why a role reference makes things
>>> better. Actually, it would be great if you could give an example
>>> which would clearly show an advantage of such use.
>> For example:
>> User A has the right to operate rsc1, while user B has the right to
>> operate rsc2. Besides that, we might want to grant them some other same
>> permissions, for instance allowing them to monitor the status of the cluster.
>> So we could define a common role "monitor" for reference instead
>> of defining similar rules repeatedly.
> 
> Where's the difference between this and adding users to "monitor"
> (the member element)?
If an user only references one role, and doesn't have other ACLs.
There's no difference  except making the XML more concise:-)

If an user has other specific ACLs besides the role reference, he could
interleave them as his needs.

Regards,
  Yan

-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list