On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao <y...@novell.com> wrote: > Hi Andrew, > > On 02/23/10 17:23, Yan Gao wrote: >> On 02/23/10 04:10, Andrew Beekhof wrote: >>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <y...@novell.com> wrote: >>>> Hi Andrew, >>>> >>>> On 02/08/10 17:48, Andrew Beekhof wrote: >>>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <y...@novell.com> wrote: >>>>>>> And put exclusions for things like passwords before the read for the >>>>>>> whole cib? >>>>>> Yes. We should specify any "deny" and "write" objects before it. >>>>> >>>>> I like the syntax now, but my original concern (that all the >>>>> validation occurs in the client library) remains... so this still >>>>> isn't providing any real security. >>>> Right. If it's impossible for cib to run as root, >>> >>> If you need root for this, I think we can allow that change for 1.1. >>> >> Great! So PAM is still preferred. Anyway, I'll have a dig at different >> ways. I think we can make that change when the authentication is ready, >> and if it's necessary. > After investigating, I found that Unix domain sockets provide methods to > identify the user on the other side of a socket. That means we don't need > PAM to do authentication for local access, and the clients doesn't need > to prompt user to input and transfer username/password to the server. > And cib daemon still can run as "hacluster". > > I've improved the ipcsocket library of cluster-glue to record user's identity > info for cib to use.
Looks good, but what about remote connections? > > The behavior of remote access to the cib is still like before. > > Attached the patch for cluster-glue and the updated patch for pacemaker. > Looking > forward to your review and comments. Thanks! > > > BTW, a little revision of devel branch: Ooops! Applied, thanks. > diff -r f78972892449 configure.ac > --- a/configure.ac Wed Mar 17 16:03:23 2010 +0800 > +++ b/configure.ac Wed Mar 17 16:19:06 2010 +0800 > @@ -431,7 +431,7 @@ > > dnl Create symlinks to here from CRM_DAEMON_DIR when needed > HB_DAEMON_DIR=`extract_header_define $GLUE_HEADER HA_LIBHBDIR` > -AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"HB_DAEMON_DIR", Location for Heartbeat > expects Pacemaker daemons to be in) > +AC_DEFINE_UNQUOTED(HB_DAEMON_DIR,"$HB_DAEMON_DIR", Location for Heartbeat > expects Pacemaker daemons to be in) > AC_SUBST(HB_DAEMON_DIR) > > dnl Needed so that the AIS plugin can clear out the directory as Heartbeat > does > > > Regards, > Yan > -- > Yan Gao <y...@novell.com> > Software Engineer > China Server Team, OPS Engineering, Novell, Inc. > > _______________________________________________ > Pacemaker mailing list > Pacemaker@oss.clusterlabs.org > http://oss.clusterlabs.org/mailman/listinfo/pacemaker > > _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
