On 2006-07-09T19:39:59, Alan Robertson <[EMAIL PROTECTED]> wrote:
> Unless I miss the mark, the general security mechanism described cannot
> implement the roles I described - or at least not in an obvious way.
I think it can, with one exception:
> >>The operator role:
> >> Can start/stop/restart resources
Needs write permission to the target_role attribute of the resources in
question.
> >> Can put nodes into / take them out of standby mode
> >> Can set/unset node attributes
Both amount to the same, write permissions to the instance_attributes of
the nodes.
Probably though the write permissions will be further restricted, to
only allow access to the specific attributes. (Others may be used by
other purposes / different roles.)
> >> Can force a resource to run on (not run on) a particular machine
> >> Can remove such a constraint
Depends on how you do this. I'd probably do this by giving them write
permission to that (pre-created) constraint, which would allow them to
enable/disable it.
This is the one case where I'm not sure whether the model as such can
adequately express this, as they would have to be pre-created. A
wildcard (permission to define arbitrary constraints, as long as they
only affect rsc A, B, C) is more difficult to do. This may need more
thought.
But I'd venture this is a rare case (and permission to modify
pre-created constraints already 95% of the deal), constraints are
unlikely to change (much) after initial creation, so even if in this
case a sudo helper with the permissions of a higher level admin would
need to be invoked (with generic write permission to the constraints
section), that would qualify as an ugly work-around ;-)
But yes, what objects may be created and where is not easily expressed.
At the same time, a number of the generic features presented here
(giving certain roles only access to specific attributes) is not easily
expressed in your operator model either.
> >> CANNOT change the configuration or modify general constraints
Easy - don't give them write access to the rest ;-)
POSIX ACLs, on the other hand, maybe also an approach to explore.
They're much more powerful than Unix semantics. (Otoh, that is also
their problem.)
Sincerely,
Lars Marowsky-Brée
--
High Availability & Clustering
SUSE Labs, Research and Development
SUSE LINUX Products GmbH - A Novell Business -- Charles Darwin
"Ignorance more frequently begets confidence than does knowledge"
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
