Closed mtstv closed 8 years ago
jochenkoschorke
commented
8 years ago Hi,
as far as I see, you're creating the same group 3 times inside the loop (name is always 'etc-cloudservices-marketAA-ca'). So in the second cycle the error gets thrown. You have to make the group-name unique, e.g. by adding the variable to the name each time.
mtstv
commented
8 years ago No, I have only one group definition and I create 3 different ACEs 3 times for that group. It works in the 1.5.0
jochenkoschorke
commented
8 years ago Sorry, you're right the definition is correct.
mtstv
commented
8 years ago Either multiple ACE definition for the same group must be allowed again like in the 1.5.0
- ace_config:
- for cloudType IN [ mycloud1, mycloud2, mycloud3 ]:
- etc-cloudservices-marketAA-ca:
- path: /etc/cloudservices/${cloudType}/marketAA
permission: allow
actions: read,modify,create,delete,replicate
privileges:
repGlob: or the LOOP definition must be placed between group name and ACEs like
- ace_config:
- etc-cloudservices-marketAA-ca:
- for cloudType IN [ mycloud1, mycloud2, mycloud3 ]:
- path: /etc/cloudservices/${cloudType}/marketAA
permission: allow
actions: read,modify,create,delete,replicate
privileges:
repGlob: The last one I just tested and it works in the 1.8.1.
mtstv
commented
8 years ago So, now I must repeat the same LOOP definition 12 times instead of one as it was early in the 1.5.0, because I need to define ACE for different groups.
- ace_config:
- etc-cloudservices-marketAA-ca:
- for cloudType IN [ mycloud1, mycloud2, mycloud3 ]:
- path: /etc/cloudservices/${cloudType}/marketAA
permission: allow
actions: read,modify,create,delete,replicate
privileges:
repGlob:
- node-etc-cloudservices-marketAA:
- for cloudType IN [ mycloud1, mycloud2, mycloud3 ]:
- path: /etc/cloudservices/${cloudType}/marketAA
permission: allow
actions: read
privileges:
repGlob:
- etc-cloudservices-marketAA-cr-common:
- for cloudType IN [ mycloud1, mycloud2, mycloud3 ]:
- path: /etc/cloudservices/${cloudType}/marketAA/common
permission: allow
actions: read
privileges:
repGlob:
.......
so, the solution to change the places for the group name and loop definition.
ghenzler
commented
8 years ago In 1.5.0 it sort of was a regression, that duplicate group sections were allowed - initially it was not meant to be allowed, and the loops were operating later than the validator check. in 1.8.1 the validator is now effective again on the whole effective model, that's why you get the error. But I think it is probably worthwhile to remove this particular validation (because for loops it is really useful to reduce duplication, and for configurations that don't contain a loop it is not actually a problem, it's just nicer to then have the group exactly once)
ghenzler
commented
8 years ago
In the version 1.8.1 to compare to 1.5.0 I can't use a loop for ACE definition anymore and I get the next error
We use 24 cloud configs and 12 ACE definitions for each unique content tree. With AC Tool 1.5.0 I used 12 ACE definitions inside of loop. To use the version 1.8.1 I need now to put 288 static ACE definitions for each site content tree. I find it actually not optimal.