[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Tue Jan 12 03:12:52 EST 2010 

Hi Lars,

Lars Marowsky-Bree wrote:
> On 2010-01-11T15:02:29, Andrew Beekhof <andrew at beekhof.net> wrote:
> 
>>> For this authentication issue of local access we discussed last time, I
>>> added a geteuid() in the cib_native_signon_raw() function from libcib.
>>> Once a client signs on the CIB, it'll invoke the function and transfer
>>> its uid to the server end.
>> I don't see anywhere that the server checks passwords.  Is that really
>> intentional?
> 
> I agree, the server needs to verify the credentials. Client-side UID is
> not strong enough - after all, we're trying to authenticate & authorize
> the _client_, and it won't do to have the client tell us what it thinks
> its auth level should be - that would be a bit easy to cheack ;-)
> 
>> Whats the role of this code, is it meant to provide actual security?
>> Or is it just casual protection from people accidentally touching
>> stuff they probably didn't mean to touch?
> 
> If we provide the latter, they'll expect it to provide the former. So we
> need to verify credentials in the CIB server process instead. For SSL
> connections to the server, this means username/password transfer, or
> challenge-response.
> 
> For local sockets, we can use code similar to the IPC socket stuff from
> heartbeat to get the uuid from the other end of the socket?
If I understand right, pacemaker uses called "uuid ticket", which is given
by the server end when a client signs on the CIB, and then it'll be used in
the consequent request for the server end to determine which IPC channel the
reply should be sent through. But before the sever give the uuid ticket to
the client, it still needs to authenticate user I think.

Is that the same way in heartbeat? If not, it must be a way for the server to
determine who's actually on the other end of the socket rather than the client
tell it?

> 
> In the mean-time, reviewing the syntax is probably quite important too.
Right, I'm looking forward to your comments on that:-)

Thanks,
  Yan

-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.

More information about the Pacemaker mailing list