[Pacemaker] Multi-level ACLs for the CIB
Yan Gao
ygao at novell.com
Mon Feb 22 07:58:44 UTC 2010
Hi Andrew,
On 02/08/10 17:48, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>> And put exclusions for things like passwords before the read for the whole cib?
>> Yes. We should specify any "deny" and "write" objects before it.
>
> I like the syntax now, but my original concern (that all the
> validation occurs in the client library) remains... so this still
> isn't providing any real security.
Right. If it's impossible for cib to run as root, I'm considering
investigating PolicyKit to see if we could achieve authentication
through it. Any suggestion?
Regards,
Yan
--
Yan Gao <ygao at novell.com>
Software Engineer
China Server Team, OPS Engineering, Novell, Inc.
More information about the Pacemaker
mailing list