On 02/04/10 21:01, Andrew Beekhof wrote: > On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao <y...@novell.com> wrote: >> >> >> On 02/04/10 15:15, Andrew Beekhof wrote: >>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao <y...@novell.com> wrote: >>>> >>>> >>>> Andrew Beekhof wrote: >>>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao <y...@novell.com> wrote: >>>>> >>>>> [snip] >>>>> >>>>>> A configuration example: >>>>>> .. >>>>>> <acls> >>>>>> <role id="operator"> >>>>>> <write id="operator-write-0" tag="nodes"/> >>>>>> <write id="operator-write-1" tag="status"/> >>>>>> </role> >>>>>> <role id="monitor"> >>>>>> <read id="monitor-read-0" tag="nodes"/> >>>>>> <read id="monitor-read-1" tag="status"/> >>>>>> </role> >>>>> >>>>> [snip] >>>>> >>>>> Quick question, have you tried using crm_mon with a configuration like >>>>> this? >>>>> I'm pretty sure you'll get nothing sensible as it can't find the >>>>> resources. >>>> Indeed. I ever thought that the information from "<status..." could be >>>> enough >>>> for monitoring, while then realized both of the nodes and resources from >>>> "<configuration..." are required. >>>> >>>>> >>>>> Might want to think about how to deal with that... >>>> We could either give some well defined ACLs for that, or is it possible >>>> that >>>> crm_mon doesn't dependent on the info from "configration"? >>> >>> No, crm_mon definitely needs the full configuration. >> Well, so perhaps we could usually define the roles as: >> >> .. >> <acls> >> <role id="operator"> >> <write id="operator-write-0" tag="nodes"/> >> <write id="operator-write-1" tag="status"/> >> <read id="operator-read-0" tag="cib"/> >> </role> >> <role id="monitor"> >> <read id="monitor-read-0" tag="cib"/> >> </role> >> .. > > And put exclusions for things like passwords before the read for the whole > cib? Yes. We should specify any "deny" and "write" objects before it.
Thanks, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker