Product SiteDocumentation Site

13.3. ACL Roles

An ACL role is a collection of permissions allowing or denying access to particular portions of the CIB.

Table 13.1. Properties of an ACL Role

AttributeDescription
id
A unique name for the role (required)
description
Arbitrary text (not used by Pacemaker)
An acl_role element may contain any number of acl_permission elements.

Table 13.2. Properties of an ACL Permission

AttributeDescription
id
A unique name for the permission (required)
description
Arbitrary text (not used by Pacemaker)
kind
The access being granted. Allowed values are read, write, and deny. A value of write grants both read and write access.
object-type
The name of an XML element in the CIB to which the permission applies. (Exactly one of object-type, xpath, and reference must be specified for a permission.)
attribute
If specified, the permission applies only to object-type elements that have this attribute set (to any value). If not specified, the permission applies to all object-type elements. May only be used with object-type.
reference
The ID of an XML element in the CIB to which the permission applies. (Exactly one of object-type, xpath, and reference must be specified for a permission.)
xpath
An XPath specification selecting an XML element in the CIB to which the permission applies. Attributes may be specified in the XPath to select particular elements, but the permissions apply to the entire element. (Exactly one of object-type, xpath, and reference must be specified for a permission.)

Important

  • Permissions are applied to the selected XML element’s entire XML subtree (all elements enclosed within it).
  • Write permission grants the ability to create, modify, or remove the element and its subtree, and also the ability to create any "scaffolding" elements (enclosing elements that do not have attributes other than an ID).
  • Permissions for more specific matches (more deeply nested elements) take precedence over more general ones.
  • If multiple permissions are configured for the same match (for example, in different roles applied to the same user), any deny permission takes precedence, then write, then lastly read.