On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao <y...@novell.com> wrote: > > > On 02/04/10 15:15, Andrew Beekhof wrote: >> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <y...@novell.com> wrote: >>> >>> >>> Andrew Beekhof wrote: >>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <y...@novell.com> wrote: >>>> >>>> [snip] >>>> >>>>> A configuration example: >>>>> .. >>>>> <acls> >>>>> <role id="operator"> >>>>> <write id="operator-write-0" tag="nodes"/> >>>>> <write id="operator-write-1" tag="status"/> >>>>> </role> >>>>> <role id="monitor"> >>>>> <read id="monitor-read-0" tag="nodes"/> >>>>> <read id="monitor-read-1" tag="status"/> >>>>> </role> >>>> >>>> [snip] >>>> >>>> Quick question, have you tried using crm_mon with a configuration like >>>> this? >>>> I'm pretty sure you'll get nothing sensible as it can't find the resources. >>> Indeed. I ever thought that the information from "<status..." could be >>> enough >>> for monitoring, while then realized both of the nodes and resources from >>> "<configuration..." are required. >>> >>>> >>>> Might want to think about how to deal with that... >>> We could either give some well defined ACLs for that, or is it possible that >>> crm_mon doesn't dependent on the info from "configration"? >> >> No, crm_mon definitely needs the full configuration. > Well, so perhaps we could usually define the roles as: > > .. > <acls> > <role id="operator"> > <write id="operator-write-0" tag="nodes"/> > <write id="operator-write-1" tag="status"/> > <read id="operator-read-0" tag="cib"/> > </role> > <role id="monitor"> > <read id="monitor-read-0" tag="cib"/> > </role> > ..
And put exclusions for things like passwords before the read for the whole cib? _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
