[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Thu Jan 14 01:07:41 EST 2010 

Hi,

Dejan Muhamedagic wrote:
> Hi Yan,
> 
> On Wed, Jan 13, 2010 at 08:49:00PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
>>> [...]
>>>>>>>>> The user "ygao" is a system account.
>>>>>>>>> We could define several roles as we wish, such as "admin",
>>>>>>>>> "operator" and "monitor", which could contain a member list
>>>>>>>>> respectively if more than one user have the same permissions. A
>>>>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>>>>> definition.
>>>>>>>> I find this a bit confusing: roles have members and users can
>>>>>>>> reference roles. Shouldn't one of the two suffice?
>>>>>>> An user can reference one or more roles to combine the rules with his
>>>>>>> particular definition.
>>>> I don't think you want that.
>>>> "One user, one role" would be my advice.
>>> Wouldn't that be too restrictive?
>> How about removing the "members" in role, while preserving the multiple
>> references of roles ?
> 
> That would do, of course. For whatever reason, however,
> specifying members along with the role seems more natural to me.
:) Another choice is also preserving "members", but changing the data type of
user id to schema "ID" type:

 	  <element name="user">
-	    <attribute name="id"><text/></attribute>
+	    <attribute name="id"><data type="ID"/></attribute>

and changing the tag "uid" to "user" under members, and also the with the "ID" type :

 	        <element name="members">
 	          <zeroOrMore>
-	            <element name="uid">
-                      <attribute name="id"><text/></attribute>
+	            <element name="user">
+                      <attribute name="id"><data type="ID"/></attribute>
 	            </element>		
 	          </zeroOrMore>
 	        </element>


This means an "user" can only appear once in the configuration, either
under a role, or in his own definition.

It's not too strict to demand the user name is a schema "ID" type. The drawback
is that it would no longer support numeric system uid.
What do you think?

Regards,
  Yan

-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list