[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Wed Dec 9 05:00:44 EST 2009 

Hi Andrew, Lars,

On 12/08/09 21:16, Lars Marowsky-Bree wrote:
> On 2009-12-08T09:22:52, Andrew Beekhof <andrew at beekhof.net> wrote:
> 
>>> Basically, we'd like to see an ACL mechanism. It would be implemented at
>>> the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
>>> could benefit. Clients are authenticated via PAM, so we can use uid/gid
>>> for identification.
>>
>> Actually you probably can't do this.
>> Daemons (like the cib) which are not running as root can only
>> authenticate the username/password of the user they're running as.
> 
> Well, the non-root internal uids/daemons would of course get exceptions
> just like root, this is about external interfaces.
Actually, after thinking over the problem, I'm a bit confused...So I
briefly describe what in my mind, please correct me if there's any problem.

First, currently non-root users are able to connect the cib through
either unix or network sockets as long as they belong to "haclient"
group. We could keep this requirement.

Then the cib should authenticate the client via PAM to identify who is
connecting to it. Otherwise the daemon could not determine who the
client is really running as, not the who he claim he is, right?

Though even if the cib has the right to authenticate users, users would
need to be prompted their own username/password again when they connect
a client to cib, after logging into a shell. And perhaps they would need
to be prompted every time they run a client later, unless we implement a
mechanism like "sudo".

I noticed several environments such as "CIB_user" and "CIB_password" are
introduced for remote access to cib . Should we adopt that for local
access too?

> 
>>>        <deny ref="stonith1-instance_attributes-ilo_password" />
>>>        <read ref="stonith1" />
>>>        <read ref="#status" />
>> Please, no hashes here.
> 
> This stems from the fact that the status XML element doesn't have an id;
> but for general access to specific sections (XML elements) it may be
> worth adding a section=(...) attribute instead of a special prefix in
> the ref="" attribute.
Agreed.

Thanks,
  Yan
-- 
ygao at novell.com
Software Engineer
China Server Team, OPS Engineering

Novell, Inc.
Making IT Work As One™

More information about the Pacemaker mailing list