[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Tue Feb 2 00:14:29 EST 2010
Hi,
Sorry for delaying this update so long because of some other works.
The ACL implementation has been improved. As we discussed, two new
functionalities has been added:
* The access control on attributes of elements
* xpath based ACL.
The schema and the corresponding codes has been simplified:
<define name="element-acls">
<element name="acls">
<zeroOrMore>
<choice>
<element name="user">
<attribute name="id"><text/></attribute>
<choice>
<attribute name="role"><data type="IDREF"/></attribute>
<zeroOrMore>
<ref name="element-acl"/>
</zeroOrMore>
</choice>
</element>
<element name="role">
<attribute name="id"><data type="ID"/></attribute>
<zeroOrMore>
<ref name="element-acl"/>
</zeroOrMore>
</element>
</choice>
</zeroOrMore>
</element>
</define>
<define name="element-acl">
<choice>
<element name="read">
<ref name="attribute-acl"/>
</element>
<element name="write">
<ref name="attribute-acl"/>
</element>
<element name="deny">
<ref name="attribute-acl"/>
</element>
</choice>
</define>
<define name="attribute-acl">
<attribute name="id"><data type="ID"/></attribute>
<choice>
<attribute name="tag"><text/></attribute>
<attribute name="ref"><data type="IDREF"/></attribute>
<group>
<attribute name="tag"><text/></attribute>
<attribute name="ref"><data type="IDREF"/></attribute>
</group>
<attribute name="xpath"><text/></attribute>
</choice>
<optional>
<attribute name="attribute"><text/></attribute>
</optional>
</define>
A configuration example:
..
<acls>
<role id="operator">
<write id="operator-write-0" tag="nodes"/>
<write id="operator-write-1" tag="status"/>
</role>
<role id="monitor">
<read id="monitor-read-0" tag="nodes"/>
<read id="monitor-read-1" tag="status"/>
</role>
<user id="gaoyan">
<write id="gaoyan-write-0" xpath="//primitive[@id='rsc0']//nvpair[@name='target-role']"/>
<deny id ="gaoyan-deny-0" xpath="//primitive[@id='rsc0']//nvpair[@name='password']" attribute="value"/>
<read id="gaoyan-read-0" tag="primitive" ref="rsc0"/>
<write id="gaoyan-write-1 ref="location_rsc0"/>
<write id="gaoyan-write-2" tag="nodes"/>
<write id="gaoyan-write-3" tag="status"/>
</user>
<user id="bob" role="operator"/>
<user id="1002" role="monitor"/>
</acls>
..
As Andrew suggested:
- Roles have ACLs
- Users can be assigned EITHER a role OR a set of ACLs
Besides, An user "id" could be a system username or a numeric uid.
For crm shell, perhaps the syntax would be like:
user <id> acl_obj [acl_obj ...]
user <id> <role_id>
role <id> acl_obj [acl_obj ...]
acl_obj ::
mode tag <tag_name> [attribute]
mode ref <ref_id> [attribute]
mode tag <tag_name> ref <ref_id> [attribute]
mode xpath <path> [attribute]
mode:: read | write | deny
Attached the updated patch. Please help review it.
Thanks!
Regards,
Yan
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pacemaker-cib-acl.diff
Type: text/x-patch
Size: 30457 bytes
Desc: not available
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20100202/6ee751a0/attachment.bin>
More information about the Pacemaker
mailing list