Hi Yan, On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote: > Dejan Muhamedagic wrote: > > Hi, > > > > On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote: > >> Hi Dejan, > >> > >> Dejan Muhamedagic wrote: > >>> Hi, > >>> > >>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote: > >>>> .. > >>>> <acls> > >>>> <role id="admin"> > >>>> <write id="admin-write-0" tag="configuration"/> > >>>> <write id="admin-write-1" tag="status"/> > >>>> </role> > >>>> <role id="operator"> > >>>> <write id="operator-write-0" tag="nodes"/> > >>>> <write id="operator-write-1" tag="status"/> > >>>> </role> > >>>> <role id="monitor"> > >>>> <read id="operator-read-0" tag="nodes"/> > >>>> <read id="monitor-read-1" tag="status"/> > >>>> <members> > >>>> <uid id="ygao"/> > >>>> </members> > >>>> </role> > >>>> <user id="ygao"> > >>>> <write id="ygao-write-0" ref="rsc0-meta_attributes-target-role"/> > >>>> <deny id="gaoyan-deny-0" > >>>> ref="rsc0-instance_attributes-password"/> [...] > >>>> The user "ygao" is a system account. > >>>> We could define several roles as we wish, such as "admin", > >>>> "operator" and "monitor", which could contain a member list > >>>> respectively if more than one user have the same permissions. A > >>>> role also could be referenced by a particular "<user ...>" > >>>> definition. > >>> I find this a bit confusing: roles have members and users can > >>> reference roles. Shouldn't one of the two suffice? > >> An user can reference one or more roles to combine the rules with his > >> particular definition. But if several users are supposed to have the > >> completely same permissions, the "members" under a "role" could avoid > >> to define the users via separated "<user ..." one by one. > >> > >>> The way it is > >>> now, it's also hard to follow. > >> What if to separate it into two cases for an user definition in crm shell: > >> 1. "is" a role > >> 2. "ref" one role or more roles. > > > > But, let's try to forget for a moment the shell or CRM in general. > > I'm trying to understand why a role reference makes things > > better. Actually, it would be great if you could give an example > > which would clearly show an advantage of such use. > For example: > User A has the right to operate rsc1, while user B has the right to > operate rsc2. Besides that, we might want to grant them some other same > permissions, for instance allowing them to monitor the status of the cluster. > So we could define a common role "monitor" for reference instead > of defining similar rules repeatedly.
Where's the difference between this and adding users to "monitor" (the member element)? Thanks, Dejan _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
