[ClusterLabs] Coming in Pacemaker 3.0.2: PSK support for remote CIB administration

[Chris Lumens]

If you are not using remote CIB administration in Pacemaker, you can 
completely disregard this email.  For the several that do, starting in 
Pacemaker 3.0.2, we've introduced a variety of changes:

* PSK is now a supported authentication method, alongside TLS 
certificates.  This brings it in line with the supported authentication 
methods for Pacemaker Remote nodes.  The Pacemaker Administration 
document has all the details for how to set this up, but the quick 
overview is you create a secret key, put it on the client and cluster 
node, and then set up the right environment variables for Pacemaker to 
know where to look for the key.  You will still need to log in with a 
username and password, and there is some weirdness around this at the 
moment, which I am hoping to fix relatively soon.

* The remote-clear-port cluster property is deprecated and will be 
removed soon.  This property allows you to perform remote cluster 
administration with no encryption at all.  You still need to log in with 
a username and password, but that would happen in the clear.  We've 
suggested only using this on secure networks, but it's time to stop 
offering it at all.  Instead, use the remote-tls-port property which was 
introduced in 2014.

* Anonymous authentication for remote CIB administration is deprecated 
and will be removed soon.  This allowed you to perform remote cluster 
administration over an encrypted channel, but with no authentication on 
that channel. Instead, move to using TLS certificates or the new PSK 
support.

Of the two authentication methods (TLS certs and PSK), PSK is far easier 
to set up and is what I would suggest for the more casual user (if there 
any casual users of remote CIB administration).

- Chris