Hi, On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote: [...] > >>>>> The user "ygao" is a system account. > >>>>> We could define several roles as we wish, such as "admin", > >>>>> "operator" and "monitor", which could contain a member list > >>>>> respectively if more than one user have the same permissions. A > >>>>> role also could be referenced by a particular "<user ...>" > >>>>> definition. > >>>> I find this a bit confusing: roles have members and users can > >>>> reference roles. Shouldn't one of the two suffice? > >>> An user can reference one or more roles to combine the rules with his > >>> particular definition. > > I don't think you want that. > "One user, one role" would be my advice.
Wouldn't that be too restrictive? > Otherwise you have all sorts of potentially non-obvious cases to deal with. > Like if roleA allows modification of an attribute and roleB disallows > it, and the user has both. First match wins: the result is undefined, i.e. depends on the order of roles. Which we apparently don't have. Unless the member element is dropped in favour of role references. > Seriously, make the admin do the normalization (otherwise you have to > do it for every invocation which is going to slow you down). > > This is the schema I'd suggest > > + <define name="element-acls"> > + <element name="acls"> > + <zeroOrMore> > + <choice> > + <element name="user"> > + <attribute name="id"><text/></attribute> > + <choice> > + <attribute name="role"><data type="IDREF"/></attribute> > + <zeroOrMore> > + <ref name="element-acl"/> > + </zeroOrMore> > + </ichoice> > + </element> > + <element name="role"> > + <attribute name="id"><data type="ID"/></attribute> > + <zeroOrMore> > + <ref name="element-acl"/> > + </zeroOrMore> > + </element> > + </choice> > + </zeroOrMore> > + </element> > + </define> > > In english: > - Roles have ACLs > - Users can be assigned EITHER a role OR a set of ACLs This is a further simplification. Though it would make the configuration more straightforward and easier to understand. Thanks, Dejan _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
