[Pacemaker] Multi-level ACLs for the CIB

Dejan Muhamedagic dejanmm at fastmail.fm
Thu Mar 18 12:23:32 UTC 2010


Hi,

On Thu, Mar 18, 2010 at 07:49:04PM +0800, Yan Gao wrote:
> Hi Dejan,
> 
> On 03/18/10 19:23, Dejan Muhamedagic wrote:
> > Hi Yan,
> > 
> > On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
> >> Hi Andrew,
> >>
> >> On 02/23/10 17:23, Yan Gao wrote:
> >>> On 02/23/10 04:10, Andrew Beekhof wrote:
> >>>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <ygao at novell.com> wrote:
> >>>>> Hi Andrew,
> >>>>>
> >>>>> On 02/08/10 17:48, Andrew Beekhof wrote:
> >>>>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
> >>>>>>>> And put exclusions for things like passwords before  the read for the whole cib?
> >>>>>>> Yes. We should specify any "deny" and "write" objects before it.
> >>>>>>
> >>>>>> I like the syntax now, but my original concern (that all the
> >>>>>> validation occurs in the client library) remains... so this still
> >>>>>> isn't providing any real security.
> >>>>> Right. If it's impossible for cib to run as root,
> >>>>
> >>>> If you need root for this, I think we can allow that change for 1.1.
> >>>>
> >>> Great! So PAM is still preferred. Anyway, I'll have a dig at different
> >>> ways. I think we can make that change when the authentication is ready,
> >>> and if it's necessary.
> >> After investigating, I found that Unix domain sockets provide methods to
> >> identify the user on the other side of a socket. That means we don't need
> >> PAM to do authentication for local access, and the clients doesn't need
> >> to prompt user to input and transfer username/password to the server.
> >> And cib daemon still can run as "hacluster".
> >>
> >> I've improved the ipcsocket library of cluster-glue to record user's identity
> >> info for cib to use.
> >>
> >> The behavior of remote access to the cib is still like before.
> >>
> >> Attached the patch for cluster-glue and the updated patch for pacemaker. Looking
> >> forward to your review and comments. Thanks!
> > 
> > The patch for cluster-glue looks ok, but the existing crm_mon
> > segfaults. Pacemaker has to be rebuilt too because the data
> > structure changed.
> Indeed.
> 
> > With pacemaker 1.0.8 already out, this patch
> > can't be applied to the cluster-glue just now.
> Perhaps after releasing a new version of cluster-glue or also a devel
> branch?

Yes, this looks like a reason enough to create a development
branch. But it may take a bit of time, since it's been very
busy lately.

Cheers,

Dejan

> Regards,
>   Yan
> -- 
> Yan Gao <ygao at novell.com>
> Software Engineer
> China Server Team, OPS Engineering, Novell, Inc.
> 
> _______________________________________________
> Pacemaker mailing list
> Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker




More information about the Pacemaker mailing list