[Pacemaker] Multi-level ACLs for the CIB
Andrew Beekhof
andrew at beekhof.net
Mon Feb 22 20:10:32 UTC 2010
On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <ygao at novell.com> wrote:
> Hi Andrew,
>
> On 02/08/10 17:48, Andrew Beekhof wrote:
>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>>> And put exclusions for things like passwords before the read for the whole cib?
>>> Yes. We should specify any "deny" and "write" objects before it.
>>
>> I like the syntax now, but my original concern (that all the
>> validation occurs in the client library) remains... so this still
>> isn't providing any real security.
> Right. If it's impossible for cib to run as root,
If you need root for this, I think we can allow that change for 1.1.
> I'm considering
> investigating PolicyKit to see if we could achieve authentication
> through it. Any suggestion?
>
> Regards,
> Yan
> --
> Yan Gao <ygao at novell.com>
> Software Engineer
> China Server Team, OPS Engineering, Novell, Inc.
>
> _______________________________________________
> Pacemaker mailing list
> Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
More information about the Pacemaker
mailing list