[Pacemaker] Multi-level ACLs for the CIB
Lars Ellenberg
lars.ellenberg at linbit.com
Thu Mar 18 22:22:52 UTC 2010
On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
> After investigating, I found that Unix domain sockets provide methods to
> identify the user on the other side of a socket. That means we don't need
> PAM to do authentication for local access, and the clients doesn't need
> to prompt user to input and transfer username/password to the server.
> And cib daemon still can run as "hacluster".
>
> I've improved the ipcsocket library of cluster-glue to record user's identity
> info for cib to use.
>
> The behavior of remote access to the cib is still like before.
>
> Attached the patch for cluster-glue and the updated patch for pacemaker. Looking
> forward to your review and comments. Thanks!
> diff -r 5e7284501da6 -r 699b8e950cdf include/clplumbing/ipc.h
> --- a/include/clplumbing/ipc.h Mon Mar 15 16:03:30 2010 +0100
> +++ b/include/clplumbing/ipc.h Wed Mar 17 15:06:08 2010 +0800
> @@ -132,6 +132,8 @@
> int ch_status; /* identify the status of channel.*/
> int refcount; /* reference count */
> pid_t farside_pid; /* far side pid */
> + uid_t farside_uid; /* far side uid */
> + gid_t farside_gid; /* far side gid */
> void* ch_private; /* channel private data. */
> /* (may contain conn. info.) */
> IPC_Ops* ops; /* IPC_Channel function table.*/
If you instead add the new members
at the _end_ of the struct(s),
it should be easier to maintain ABI compatibility.
--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
More information about the Pacemaker
mailing list