[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Thu Feb 4 07:51:20 UTC 2010



On 02/04/10 15:15, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <ygao at novell.com> wrote:
>>
>>
>> Andrew Beekhof wrote:
>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <ygao at novell.com> wrote:
>>>
>>> [snip]
>>>
>>>> A configuration example:
>>>> ..
>>>> <acls>
>>>>  <role id="operator">
>>>>    <write id="operator-write-0" tag="nodes"/>
>>>>    <write id="operator-write-1" tag="status"/>
>>>>  </role>
>>>>  <role id="monitor">
>>>>    <read id="monitor-read-0" tag="nodes"/>
>>>>    <read id="monitor-read-1" tag="status"/>
>>>>  </role>
>>>
>>> [snip]
>>>
>>> Quick question, have you tried using crm_mon with a configuration like this?
>>> I'm pretty sure you'll get nothing sensible as it can't find the resources.
>> Indeed. I ever thought that the information from "<status..." could be enough
>> for monitoring, while then realized both of the nodes and resources from
>> "<configuration..." are required.
>>
>>>
>>> Might want to think about how to deal with that...
>> We could either give some well defined ACLs for that, or is it possible that
>> crm_mon doesn't dependent on the info from "configration"?
> 
> No, crm_mon definitely needs the full configuration.
Well, so perhaps we could usually define the roles as:

..
<acls>
  <role id="operator">
    <write id="operator-write-0" tag="nodes"/>
    <write id="operator-write-1" tag="status"/>
    <read id="operator-read-0" tag="cib"/>
  </role>
  <role id="monitor">
    <read id="monitor-read-0" tag="cib"/>
  </role>
..

Regards,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.




More information about the Pacemaker mailing list