[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Wed Mar 17 06:12:24 EDT 2010 

Hi Andrew,

On 02/23/10 17:23, Yan Gao wrote:
> On 02/23/10 04:10, Andrew Beekhof wrote:
>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <ygao at novell.com> wrote:
>>> Hi Andrew,
>>>
>>> On 02/08/10 17:48, Andrew Beekhof wrote:
>>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>>>>> And put exclusions for things like passwords before  the read for the whole cib?
>>>>> Yes. We should specify any "deny" and "write" objects before it.
>>>>
>>>> I like the syntax now, but my original concern (that all the
>>>> validation occurs in the client library) remains... so this still
>>>> isn't providing any real security.
>>> Right. If it's impossible for cib to run as root,
>>
>> If you need root for this, I think we can allow that change for 1.1.
>>
> Great! So PAM is still preferred. Anyway, I'll have a dig at different
> ways. I think we can make that change when the authentication is ready,
> and if it's necessary.
After investigating, I found that Unix domain sockets provide methods to
identify the user on the other side of a socket. That means we don't need
PAM to do authentication for local access, and the clients doesn't need
to prompt user to input and transfer username/password to the server.
And cib daemon still can run as "hacluster".

I've improved the ipcsocket library of cluster-glue to record user's identity
info for cib to use.

The behavior of remote access to the cib is still like before.

Attached the patch for cluster-glue and the updated patch for pacemaker. Looking
forward to your review and comments. Thanks!


BTW, a little revision of devel branch:

diff -r f78972892449 configure.ac
--- a/configure.ac	Wed Mar 17 16:03:23 2010 +0800
+++ b/configure.ac	Wed Mar 17 16:19:06 2010 +0800
@@ -431,7 +431,7 @@

 dnl Create symlinks to here from CRM_DAEMON_DIR when needed
 HB_DAEMON_DIR=`extract_header_define $GLUE_HEADER HA_LIBHBDIR`
-AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"HB_DAEMON_DIR", Location for Heartbeat expects Pacemaker daemons to be in)
+AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"$HB_DAEMON_DIR", Location for Heartbeat expects Pacemaker daemons to be in)
 AC_SUBST(HB_DAEMON_DIR)

 dnl Needed so that the AIS plugin can clear out the directory as Heartbeat does


Regards,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pacemaker-cib-acl.diff
Type: text/x-patch
Size: 30276 bytes
Desc: not available
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20100317/865198a4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cluster-glue-socket-uid.diff
Type: text/x-patch
Size: 5650 bytes
Desc: not available
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20100317/865198a4/attachment-0001.bin>

More information about the Pacemaker mailing list