[Pacemaker] Multi-level ACLs for the CIB
Dejan Muhamedagic
dejanmm at fastmail.fm
Wed Jan 13 05:07:35 EST 2010
Hi,
On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
[...]
> >>>>> The user "ygao" is a system account.
> >>>>> We could define several roles as we wish, such as "admin",
> >>>>> "operator" and "monitor", which could contain a member list
> >>>>> respectively if more than one user have the same permissions. A
> >>>>> role also could be referenced by a particular "<user ...>"
> >>>>> definition.
> >>>> I find this a bit confusing: roles have members and users can
> >>>> reference roles. Shouldn't one of the two suffice?
> >>> An user can reference one or more roles to combine the rules with his
> >>> particular definition.
>
> I don't think you want that.
> "One user, one role" would be my advice.
Wouldn't that be too restrictive?
> Otherwise you have all sorts of potentially non-obvious cases to deal with.
> Like if roleA allows modification of an attribute and roleB disallows
> it, and the user has both.
First match wins: the result is undefined, i.e. depends on the
order of roles. Which we apparently don't have. Unless the member
element is dropped in favour of role references.
> Seriously, make the admin do the normalization (otherwise you have to
> do it for every invocation which is going to slow you down).
>
> This is the schema I'd suggest
>
> + <define name="element-acls">
> + <element name="acls">
> + <zeroOrMore>
> + <choice>
> + <element name="user">
> + <attribute name="id"><text/></attribute>
> + <choice>
> + <attribute name="role"><data type="IDREF"/></attribute>
> + <zeroOrMore>
> + <ref name="element-acl"/>
> + </zeroOrMore>
> + </ichoice>
> + </element>
> + <element name="role">
> + <attribute name="id"><data type="ID"/></attribute>
> + <zeroOrMore>
> + <ref name="element-acl"/>
> + </zeroOrMore>
> + </element>
> + </choice>
> + </zeroOrMore>
> + </element>
> + </define>
>
> In english:
> - Roles have ACLs
> - Users can be assigned EITHER a role OR a set of ACLs
This is a further simplification. Though it would make the
configuration more straightforward and easier to understand.
Thanks,
Dejan
More information about the Pacemaker
mailing list