Andrew Beekhof wrote: > On Tue, Jan 12, 2010 at 1:06 PM, Yan Gao <y...@novell.com> wrote: >> Andrew Beekhof wrote: >>> On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic <deja...@fastmail.fm> >>> wrote: >>>> Hi, >>>> >>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote: >>>>> BTW, there're some changes comparing to the original design: >>>>> [...] >>>>> There could be an "attribute" for an ACL object in the original design : >>>>> <write id=... ref="rsc0-meta_attributes-target-role" attribute="value" /> >>>>> >>>>> it was supposed to mean user could only write the "value" attribute of >>>>> "rsc0-meta_attributes-target-role" element. >>>>> >>>>> I didn't implement it because there's no good way for now for the ACL >>>>> checker to recognize if a modification would change/add/remove any >>>>> particular attributes of a XML element. And I'm thinking if it's >>>>> necessary to implement it... Your thoughts? >>> Check the diff? >> It now does check the diff. Besides the "__crm_diff_marker__" set for >> add/remove, >> I also add a marker for "modified". But one modification could modify >> several of its >> attributes. So for recognizing those, we might need to add multiple markers >> for one element? > > It doesn't make sense to me why you'd need to do that, it can be inferred. > > If an attribute is only in diff-added - then it was created. > If an attribute is only in diff-removed - then it was deleted. > If an attribute is in both it was modified Right, I misunderstood it. we don't need a marker for "modified". In the diff, any appearance of an attribute except "id" means the element was modified.
I'll implement access control on particular attribute of a XML element. > > te_callbacks.c has similar logic IIRC > > If you see __crm_diff_marker__, then everything from there down was > affected (either created or deleted, its not set for modify). > And xpath will still work because the diff includes the path back to > the cib root. > Thanks, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
