On Wed, Jan 13, 2010 at 11:07 AM, Dejan Muhamedagic <deja...@fastmail.fm> wrote: > Hi, > > On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote: > [...] >> I don't think you want that. >> "One user, one role" would be my advice. > > Wouldn't that be too restrictive?
I don't see why. It just requires the admin to do the normalization of roleD = roleA || roleB && roleC (or whatever). I'd not be expecting the ACLs to change often enough for this to be an onerous task. And if the admin specifies exactly what they want, there's no possibility for unexpected (for all variations of unexpected) behavior. Plus its computationally faster. >> Otherwise you have all sorts of potentially non-obvious cases to deal with. >> Like if roleA allows modification of an attribute and roleB disallows >> it, and the user has both. > > First match wins: the result is undefined, My point exactly, too much scope for admin-error and non-intuitive ordering issues (like we have for groups). KISS - we're not building fort knox here. [snip] >> In english: >> - Roles have ACLs >> - Users can be assigned EITHER a role OR a set of ACLs > > This is a further simplification. Though it would make the > configuration more straightforward and easier to understand. exactly :-) _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
