[Pacemaker] Multi-level ACLs for the CIB
    Yan Gao 
    ygao at novell.com
       
    Mon Feb 22 07:58:44 UTC 2010
    
    
  
Hi Andrew,
On 02/08/10 17:48, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>> And put exclusions for things like passwords before  the read for the whole cib?
>> Yes. We should specify any "deny" and "write" objects before it.
> 
> I like the syntax now, but my original concern (that all the
> validation occurs in the client library) remains... so this still
> isn't providing any real security.
Right. If it's impossible for cib to run as root, I'm considering
investigating PolicyKit to see if we could achieve authentication
through it. Any suggestion?
Regards,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
    
    
More information about the Pacemaker
mailing list