Andrew Beekhof wrote: > On Wed, Jan 13, 2010 at 6:21 AM, Yan Gao <y...@novell.com> wrote: >> Dejan Muhamedagic wrote: >>> Hi, >>> >>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote: >>>> Hi Dejan, >>>> >>>> Dejan Muhamedagic wrote: >>>>>> The user "ygao" is a system account. >>>>>> We could define several roles as we wish, such as "admin", >>>>>> "operator" and "monitor", which could contain a member list >>>>>> respectively if more than one user have the same permissions. A >>>>>> role also could be referenced by a particular "<user ...>" >>>>>> definition. >>>>> I find this a bit confusing: roles have members and users can >>>>> reference roles. Shouldn't one of the two suffice? >>>> An user can reference one or more roles to combine the rules with his >>>> particular definition. > > I don't think you want that. > "One user, one role" would be my advice. > > Otherwise you have all sorts of potentially non-obvious cases to deal with. > Like if roleA allows modification of an attribute and roleB disallows > it, and the user has both. Actually that's obvious for the ACL checker and filter. They only care about "the first match" ;-)
Indeed, the administrator must be very careful when configuring ACLs. > > Seriously, make the admin do the normalization (otherwise you have to > do it for every invocation which is going to slow you down). > > This is the schema I'd suggest > > + <define name="element-acls"> > + <element name="acls"> > + <zeroOrMore> > + <choice> > + <element name="user"> > + <attribute name="id"><text/></attribute> > + <choice> > + <attribute name="role"><data type="IDREF"/></attribute> > + <zeroOrMore> > + <ref name="element-acl"/> > + </zeroOrMore> > + </ichoice> > + </element> > + <element name="role"> > + <attribute name="id"><data type="ID"/></attribute> > + <zeroOrMore> > + <ref name="element-acl"/> > + </zeroOrMore> > + </element> > + </choice> > + </zeroOrMore> > + </element> > + </define> > > In english: > - Roles have ACLs > - Users can be assigned EITHER a role OR a set of ACLs > > > Oh, and can you explain this please: > > + <choice> > + <attribute name="ref"><data type="IDREF"/></attribute> > + <attribute name="tag"><text/></attribute> > + <group> > + <attribute name="ref"><data type="IDREF"/></attribute> > + <attribute name="tag"><text/></attribute> > + </group> > + </choice> > > Why would you want a reference and a tag? For example, an id "rsc0" could be a "primitive" or a "lrm_resource". User may want do access control for them respectively. Regards, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker