[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Wed Jan 13 07:49:00 EST 2010
Dejan Muhamedagic wrote:
> Hi,
>
> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
> [...]
>>>>>>> The user "ygao" is a system account.
>>>>>>> We could define several roles as we wish, such as "admin",
>>>>>>> "operator" and "monitor", which could contain a member list
>>>>>>> respectively if more than one user have the same permissions. A
>>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>>> definition.
>>>>>> I find this a bit confusing: roles have members and users can
>>>>>> reference roles. Shouldn't one of the two suffice?
>>>>> An user can reference one or more roles to combine the rules with his
>>>>> particular definition.
>> I don't think you want that.
>> "One user, one role" would be my advice.
>
> Wouldn't that be too restrictive?
How about removing the "members" in role, while preserving the multiple
references of roles ?
>
>> Otherwise you have all sorts of potentially non-obvious cases to deal with.
>> Like if roleA allows modification of an attribute and roleB disallows
>> it, and the user has both.
>
> First match wins: the result is undefined, i.e. depends on the
> order of roles. Which we apparently don't have. Unless the member
> element is dropped in favour of role references.
>
>> Seriously, make the admin do the normalization (otherwise you have to
>> do it for every invocation which is going to slow you down).
>>
>> This is the schema I'd suggest
>>
>> + <define name="element-acls">
>> + <element name="acls">
>> + <zeroOrMore>
>> + <choice>
>> + <element name="user">
>> + <attribute name="id"><text/></attribute>
>> + <choice>
>> + <attribute name="role"><data type="IDREF"/></attribute>
>> + <zeroOrMore>
>> + <ref name="element-acl"/>
>> + </zeroOrMore>
>> + </ichoice>
>> + </element>
>> + <element name="role">
>> + <attribute name="id"><data type="ID"/></attribute>
>> + <zeroOrMore>
>> + <ref name="element-acl"/>
>> + </zeroOrMore>
>> + </element>
>> + </choice>
>> + </zeroOrMore>
>> + </element>
>> + </define>
>>
>> In english:
>> - Roles have ACLs
>> - Users can be assigned EITHER a role OR a set of ACLs
>
> This is a further simplification. Though it would make the
> configuration more straightforward and easier to understand.
Ok. Once we have a consensus on all of the issues, I'll post
the updated schema including the ACL support for "attribute" later
for you to confirm.
Thanks,
Yan
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
More information about the Pacemaker
mailing list