[Pacemaker] Multi-level ACLs for the CIB

Andrew Beekhof andrew at beekhof.net
Thu Mar 18 08:33:20 UTC 2010


On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao <ygao at novell.com> wrote:
> Hi Andrew,
>
> On 02/23/10 17:23, Yan Gao wrote:
>> On 02/23/10 04:10, Andrew Beekhof wrote:
>>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <ygao at novell.com> wrote:
>>>> Hi Andrew,
>>>>
>>>> On 02/08/10 17:48, Andrew Beekhof wrote:
>>>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <ygao at novell.com> wrote:
>>>>>>> And put exclusions for things like passwords before  the read for the whole cib?
>>>>>> Yes. We should specify any "deny" and "write" objects before it.
>>>>>
>>>>> I like the syntax now, but my original concern (that all the
>>>>> validation occurs in the client library) remains... so this still
>>>>> isn't providing any real security.
>>>> Right. If it's impossible for cib to run as root,
>>>
>>> If you need root for this, I think we can allow that change for 1.1.
>>>
>> Great! So PAM is still preferred. Anyway, I'll have a dig at different
>> ways. I think we can make that change when the authentication is ready,
>> and if it's necessary.
> After investigating, I found that Unix domain sockets provide methods to
> identify the user on the other side of a socket. That means we don't need
> PAM to do authentication for local access, and the clients doesn't need
> to prompt user to input and transfer username/password to the server.
> And cib daemon still can run as "hacluster".
>
> I've improved the ipcsocket library of cluster-glue to record user's identity
> info for cib to use.

Looks good, but what about remote connections?

>
> The behavior of remote access to the cib is still like before.
>
> Attached the patch for cluster-glue and the updated patch for pacemaker. Looking
> forward to your review and comments. Thanks!
>
>
> BTW, a little revision of devel branch:

Ooops!
Applied, thanks.

> diff -r f78972892449 configure.ac
> --- a/configure.ac      Wed Mar 17 16:03:23 2010 +0800
> +++ b/configure.ac      Wed Mar 17 16:19:06 2010 +0800
> @@ -431,7 +431,7 @@
>
>  dnl Create symlinks to here from CRM_DAEMON_DIR when needed
>  HB_DAEMON_DIR=`extract_header_define $GLUE_HEADER HA_LIBHBDIR`
> -AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"HB_DAEMON_DIR", Location for Heartbeat expects Pacemaker daemons to be in)
> +AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"$HB_DAEMON_DIR", Location for Heartbeat expects Pacemaker daemons to be in)
>  AC_SUBST(HB_DAEMON_DIR)
>
>  dnl Needed so that the AIS plugin can clear out the directory as Heartbeat does
>
>
> Regards,
>  Yan
> --
> Yan Gao <ygao at novell.com>
> Software Engineer
> China Server Team, OPS Engineering, Novell, Inc.
>
> _______________________________________________
> Pacemaker mailing list
> Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
>




More information about the Pacemaker mailing list