[Pacemaker] Multi-level ACLs for the CIB

Yan Gao ygao at novell.com
Fri Mar 19 06:06:18 UTC 2010


On 03/19/10 06:22, Lars Ellenberg wrote:
> On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
>> After investigating, I found that Unix domain sockets provide methods to
>> identify the user on the other side of a socket. That means we don't need
>> PAM to do authentication for local access, and the clients doesn't need
>> to prompt user to input and transfer username/password to the server.
>> And cib daemon still can run as "hacluster".
>>
>> I've improved the ipcsocket library of cluster-glue to record user's identity
>> info for cib to use.
>>
>> The behavior of remote access to the cib is still like before.
>>
>> Attached the patch for cluster-glue and the updated patch for pacemaker. Looking
>> forward to your review and comments. Thanks!
> 
>> diff -r 5e7284501da6 -r 699b8e950cdf include/clplumbing/ipc.h
>> --- a/include/clplumbing/ipc.h	Mon Mar 15 16:03:30 2010 +0100
>> +++ b/include/clplumbing/ipc.h	Wed Mar 17 15:06:08 2010 +0800
>> @@ -132,6 +132,8 @@
>>  	int		ch_status;	/* identify the status of channel.*/
>>  	int		refcount;	/* reference count */
>>  	pid_t		farside_pid;	/* far side pid */
>> +	uid_t		farside_uid;	/* far side uid */
>> +	gid_t		farside_gid;	/* far side gid */
>>  	void*		ch_private;	/* channel private data. */
>>  					/* (may contain conn. info.) */
>>  	IPC_Ops*	ops;		/* IPC_Channel function table.*/
> 
> 
> If you instead add the new members
> at the _end_ of the struct(s),
> it should be easier to maintain ABI compatibility.
Right. I should have thought of this compatibility issue.

Thanks,
  Yan
-- 
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.




More information about the Pacemaker mailing list