Andrew Bogott wrote:
> Remaining tasks:
>
> - Extending rootwrap (or, specifically, getting gluster into sudo somehow)
I started looking into the security model around adding run-as-root
commands. You obviously can't rely on code run as the nova user to "plug
in" new run-as-root commands, as it would defeat the security model.
I still need to polish the model, but the idea would be to rely on a
root-owned configuration directory (think /etc/nova/rootwrap.d) in which
the filters would be described. The directory would be specified
directly on the root_helper option, and authorized by the sudoers file.
The filters configuration files would replace the current static
rootwrap.{compute,network...} files.
So a plug-in that wants to add nova run-as-root commands would just have
to drop an extra file in that directory, as part of its install.
Thoughts ?
--
Thierry Carrez (ttx)
Release Manager, OpenStack
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : [email protected]
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
