On Tue, Dec 8, 2009 at 2:16 PM, Lars Marowsky-Bree <l...@suse.de> wrote: > On 2009-12-08T09:22:52, Andrew Beekhof <and...@beekhof.net> wrote: > >> > Basically, we'd like to see an ACL mechanism. It would be implemented at >> > the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... - >> > could benefit. Clients are authenticated via PAM, so we can use uid/gid >> > for identification. >> >> Actually you probably can't do this. >> Daemons (like the cib) which are not running as root can only >> authenticate the username/password of the user they're running as. > > Well, the non-root internal uids/daemons would of course get exceptions > just like root, this is about external interfaces.
Wait a second... where are you planning to do the authentication? > >> > <deny ref="stonith1-instance_attributes-ilo_password" /> >> > <read ref="stonith1" /> >> > <read ref="#status" /> >> Please, no hashes here. > > This stems from the fact that the status XML element doesn't have an id; > but for general access to specific sections (XML elements) it may be > worth adding a section=(...) attribute instead of a special prefix in > the ref="" attribute. Agreed. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
