[Pacemaker] Multi-level ACLs for the CIB

[Yan Gao]

On 12/09/09 18:28, Andrew Beekhof wrote:
> On Wed, Dec 9, 2009 at 11:00 AM, Yan Gao <ygao at novell.com> wrote:
>> Hi Andrew, Lars,
>>
>> On 12/08/09 21:16, Lars Marowsky-Bree wrote:
>>> On 2009-12-08T09:22:52, Andrew Beekhof <andrew at beekhof.net> wrote:
>>>
>>>>> Basically, we'd like to see an ACL mechanism. It would be implemented at
>>>>> the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
>>>>> could benefit. Clients are authenticated via PAM, so we can use uid/gid
>>>>> for identification.
>>>>
>>>> Actually you probably can't do this.
>>>> Daemons (like the cib) which are not running as root can only
>>>> authenticate the username/password of the user they're running as.
>>>
>>> Well, the non-root internal uids/daemons would of course get exceptions
>>> just like root, this is about external interfaces.
>> Actually, after thinking over the problem, I'm a bit confused...So I
>> briefly describe what in my mind, please correct me if there's any problem.
>>
>> First, currently non-root users are able to connect the cib through
>> either unix or network sockets as long as they belong to "haclient"
>> group. We could keep this requirement.
>>
>> Then the cib should authenticate the client via PAM to identify who is
>> connecting to it.
> 
> Thats what I'm saying, it can only do this for the hacluster user.
> Because its not running as root.
Indeed, that's the real problem. Without authentication, that would not
be a real access control. No idea if there's any other solution... Lars,
what's your recommendation?

>>
>> I noticed several environments such as "CIB_user" and "CIB_password" are
>> introduced for remote access to cib .  Should we adopt that for local
>> access too?
> 
> Probably for CIB_user but not CIB_password.
> I shouldn't have added that one.
I see.

Thanks,
  Yan
-- 
ygao at novell.com
Software Engineer
China Server Team, OPS Engineering

Novell, Inc.
Making IT Work As One™