[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Tue Feb 23 04:23:51 EST 2010

On 02/23/10 04:10, Andrew Beekhof wrote:
> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <ygao at novell.com> wrote:
>> Hi Andrew,
>> On 02/08/10 17:48, Andrew Beekhof wrote:
>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>>>> And put exclusions for things like passwords before  the read for the whole cib?
>>>> Yes. We should specify any "deny" and "write" objects before it.
>>> I like the syntax now, but my original concern (that all the
>>> validation occurs in the client library) remains... so this still
>>> isn't providing any real security.
>> Right. If it's impossible for cib to run as root,
> If you need root for this, I think we can allow that change for 1.1.
Great! So PAM is still preferred. Anyway, I'll have a dig at different
ways. I think we can make that change when the authentication is ready,
and if it's necessary.

Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list