On 03/19/10 06:22, Lars Ellenberg wrote: > On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote: >> After investigating, I found that Unix domain sockets provide methods to >> identify the user on the other side of a socket. That means we don't need >> PAM to do authentication for local access, and the clients doesn't need >> to prompt user to input and transfer username/password to the server. >> And cib daemon still can run as "hacluster". >> >> I've improved the ipcsocket library of cluster-glue to record user's identity >> info for cib to use. >> >> The behavior of remote access to the cib is still like before. >> >> Attached the patch for cluster-glue and the updated patch for pacemaker. >> Looking >> forward to your review and comments. Thanks! > >> diff -r 5e7284501da6 -r 699b8e950cdf include/clplumbing/ipc.h >> --- a/include/clplumbing/ipc.h Mon Mar 15 16:03:30 2010 +0100 >> +++ b/include/clplumbing/ipc.h Wed Mar 17 15:06:08 2010 +0800 >> @@ -132,6 +132,8 @@ >> int ch_status; /* identify the status of channel.*/ >> int refcount; /* reference count */ >> pid_t farside_pid; /* far side pid */ >> + uid_t farside_uid; /* far side uid */ >> + gid_t farside_gid; /* far side gid */ >> void* ch_private; /* channel private data. */ >> /* (may contain conn. info.) */ >> IPC_Ops* ops; /* IPC_Channel function table.*/ > > > If you instead add the new members > at the _end_ of the struct(s), > it should be easier to maintain ABI compatibility. Right. I should have thought of this compatibility issue.
Thanks, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
