Hi Dejan, Dejan Muhamedagic wrote: > Hi Yan, > > On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote: >> Dejan Muhamedagic wrote: >>> Hi, >>> >>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote: >>>> Hi Dejan, >>>> >>>> Dejan Muhamedagic wrote: >>>>> Hi, >>>>> >>>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote: >>>>>> .. >>>>>> <acls> >>>>>> <role id="admin"> >>>>>> <write id="admin-write-0" tag="configuration"/> >>>>>> <write id="admin-write-1" tag="status"/> >>>>>> </role> >>>>>> <role id="operator"> >>>>>> <write id="operator-write-0" tag="nodes"/> >>>>>> <write id="operator-write-1" tag="status"/> >>>>>> </role> >>>>>> <role id="monitor"> >>>>>> <read id="operator-read-0" tag="nodes"/> >>>>>> <read id="monitor-read-1" tag="status"/> >>>>>> <members> >>>>>> <uid id="ygao"/> >>>>>> </members> >>>>>> </role> >>>>>> <user id="ygao"> >>>>>> <write id="ygao-write-0" ref="rsc0-meta_attributes-target-role"/> >>>>>> <deny id="gaoyan-deny-0" >>>>>> ref="rsc0-instance_attributes-password"/> > [...] >>>>>> The user "ygao" is a system account. >>>>>> We could define several roles as we wish, such as "admin", >>>>>> "operator" and "monitor", which could contain a member list >>>>>> respectively if more than one user have the same permissions. A >>>>>> role also could be referenced by a particular "<user ...>" >>>>>> definition. >>>>> I find this a bit confusing: roles have members and users can >>>>> reference roles. Shouldn't one of the two suffice? >>>> An user can reference one or more roles to combine the rules with his >>>> particular definition. But if several users are supposed to have the >>>> completely same permissions, the "members" under a "role" could avoid >>>> to define the users via separated "<user ..." one by one. >>>> >>>>> The way it is >>>>> now, it's also hard to follow. >>>> What if to separate it into two cases for an user definition in crm shell: >>>> 1. "is" a role >>>> 2. "ref" one role or more roles. >>> But, let's try to forget for a moment the shell or CRM in general. >>> I'm trying to understand why a role reference makes things >>> better. Actually, it would be great if you could give an example >>> which would clearly show an advantage of such use. >> For example: >> User A has the right to operate rsc1, while user B has the right to >> operate rsc2. Besides that, we might want to grant them some other same >> permissions, for instance allowing them to monitor the status of the cluster. >> So we could define a common role "monitor" for reference instead >> of defining similar rules repeatedly. > > Where's the difference between this and adding users to "monitor" > (the member element)? If an user only references one role, and doesn't have other ACLs. There's no difference except making the XML more concise:-)
If an user has other specific ACLs besides the role reference, he could interleave them as his needs. Regards, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
