[Pacemaker] Multi-level ACLs for the CIB

Tim Serong tserong at novell.com
Thu Feb 4 04:36:02 UTC 2010


On 2/4/2010 at 02:52 PM, Yan Gao <ygao at novell.com> wrote: 
>  
> Andrew Beekhof wrote: 
> > On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote: 
> >  
> > [snip] 
> >  
> >> A configuration example: 
> >> .. 
> >> <acls> 
> >>  <role id="operator"> 
> >>    <write id="operator-write-0" tag="nodes"/> 
> >>    <write id="operator-write-1" tag="status"/> 
> >>  </role> 
> >>  <role id="monitor"> 
> >>    <read id="monitor-read-0" tag="nodes"/> 
> >>    <read id="monitor-read-1" tag="status"/> 
> >>  </role> 
> >  
> > [snip] 
> >  
> > Quick question, have you tried using crm_mon with a configuration like  
> this? 
> > I'm pretty sure you'll get nothing sensible as it can't find the resources. 
> Indeed. I ever thought that the information from "<status..." could be enough 
> for monitoring, while then realized both of the nodes and resources from 
> "<configuration..." are required. 
>  
> >  
> > Might want to think about how to deal with that... 
> We could either give some well defined ACLs for that, or is it possible that 
> crm_mon doesn't dependent on the info from "configration"? 
 
I don't think so...  cib/configuration/resources etc. is the canonical
source for what's configured, and may include things for which there is
no status information yet.  There's nothing in cib/status yet, for example,
if the cluster is just starting up, yet crm_mon will still show you the
configured nodes and resources.  I've followed the same logic with Hawk,
too, i.e. I'm interrogating cib/configuration to see what's meant to be
there, then later check cib/status to see if it actually is.

Default ACL that grants everyone read access to configuration, maybe?

Regards,

Tim


-- 
Tim Serong <tserong at novell.com>
Senior Clustering Engineer, Novell Inc.







More information about the Pacemaker mailing list