[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Mon Feb 22 02:58:44 EST 2010

Hi Andrew,

On 02/08/10 17:48, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>> And put exclusions for things like passwords before  the read for the whole cib?
>> Yes. We should specify any "deny" and "write" objects before it.
> I like the syntax now, but my original concern (that all the
> validation occurs in the client library) remains... so this still
> isn't providing any real security.
Right. If it's impossible for cib to run as root, I'm considering
investigating PolicyKit to see if we could achieve authentication
through it. Any suggestion?

Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list