Andrew Bogott wrote: > Remaining tasks: > > - Extending rootwrap (or, specifically, getting gluster into sudo somehow)
I started looking into the security model around adding run-as-root commands. You obviously can't rely on code run as the nova user to "plug in" new run-as-root commands, as it would defeat the security model. I still need to polish the model, but the idea would be to rely on a root-owned configuration directory (think /etc/nova/rootwrap.d) in which the filters would be described. The directory would be specified directly on the root_helper option, and authorized by the sudoers file. The filters configuration files would replace the current static rootwrap.{compute,network...} files. So a plug-in that wants to add nova run-as-root commands would just have to drop an extra file in that directory, as part of its install. Thoughts ? -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp