Re: [Pacemaker] Multi-level ACLs for the CIB

Wed, 13 Jan 2010 22:10:25 -0800 

Hi,

Dejan Muhamedagic wrote:
> Hi Yan,
> 
> On Wed, Jan 13, 2010 at 08:49:00PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
>>> [...]
>>>>>>>>> The user "ygao" is a system account.
>>>>>>>>> We could define several roles as we wish, such as "admin",
>>>>>>>>> "operator" and "monitor", which could contain a member list
>>>>>>>>> respectively if more than one user have the same permissions. A
>>>>>>>>> role also could be referenced by a particular "<user ...>"
>>>>>>>>> definition.
>>>>>>>> I find this a bit confusing: roles have members and users can
>>>>>>>> reference roles. Shouldn't one of the two suffice?
>>>>>>> An user can reference one or more roles to combine the rules with his
>>>>>>> particular definition.
>>>> I don't think you want that.
>>>> "One user, one role" would be my advice.
>>> Wouldn't that be too restrictive?
>> How about removing the "members" in role, while preserving the multiple
>> references of roles ?
> 
> That would do, of course. For whatever reason, however,
> specifying members along with the role seems more natural to me.
:) Another choice is also preserving "members", but changing the data type of
user id to schema "ID" type:

          <element name="user">
-           <attribute name="id"><text/></attribute>
+           <attribute name="id"><data type="ID"/></attribute>

and changing the tag "uid" to "user" under members, and also the with the "ID" 
type :

                <element name="members">
                  <zeroOrMore>
-                   <element name="uid">
-                      <attribute name="id"><text/></attribute>
+                   <element name="user">
+                      <attribute name="id"><data type="ID"/></attribute>
                    </element>          
                  </zeroOrMore>
                </element>


This means an "user" can only appear once in the configuration, either
under a role, or in his own definition.

It's not too strict to demand the user name is a schema "ID" type. The drawback
is that it would no longer support numeric system uid.
What do you think?

Regards,
  Yan

-- 
Yan Gao <y...@novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

_______________________________________________
Pacemaker mailing list
Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Reply via email to