On 03/19/10 06:22, Lars Ellenberg wrote:
> On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
>> After investigating, I found that Unix domain sockets provide methods to
>> identify the user on the other side of a socket. That means we don't need
>> PAM to do authentication for local access,
On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
> After investigating, I found that Unix domain sockets provide methods to
> identify the user on the other side of a socket. That means we don't need
> PAM to do authentication for local access, and the clients doesn't need
> to prompt user
On 03/18/10 22:54, Yan Gao wrote:
> On 03/18/10 21:00, Andrew Beekhof wrote:
>> On Thu, Mar 18, 2010 at 12:29 PM, Dejan Muhamedagic
>> wrote:
>>> Hi,
>>>
>>> On Thu, Mar 18, 2010 at 11:30:10AM +0100, Andrew Beekhof wrote:
On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
>
>
> On
On Thu, Mar 18, 2010 at 02:00:04PM +0100, Andrew Beekhof wrote:
> On Thu, Mar 18, 2010 at 12:29 PM, Dejan Muhamedagic
> wrote:
> > Hi,
> >
> > On Thu, Mar 18, 2010 at 11:30:10AM +0100, Andrew Beekhof wrote:
> >> On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
> >> >
> >> >
> >> > On 03/18/10 17
On 03/18/10 21:00, Andrew Beekhof wrote:
> On Thu, Mar 18, 2010 at 12:29 PM, Dejan Muhamedagic
> wrote:
>> Hi,
>>
>> On Thu, Mar 18, 2010 at 11:30:10AM +0100, Andrew Beekhof wrote:
>>> On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
On 03/18/10 17:11, Andrew Beekhof wrote:
>
On Thu, Mar 18, 2010 at 12:29 PM, Dejan Muhamedagic wrote:
> Hi,
>
> On Thu, Mar 18, 2010 at 11:30:10AM +0100, Andrew Beekhof wrote:
>> On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
>> >
>> >
>> > On 03/18/10 17:11, Andrew Beekhof wrote:
>> >> On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
>
Hi,
On Thu, Mar 18, 2010 at 07:49:04PM +0800, Yan Gao wrote:
> Hi Dejan,
>
> On 03/18/10 19:23, Dejan Muhamedagic wrote:
> > Hi Yan,
> >
> > On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
> >> Hi Andrew,
> >>
> >> On 02/23/10 17:23, Yan Gao wrote:
> >>> On 02/23/10 04:10, Andrew Beekho
Hi Dejan,
On 03/18/10 19:23, Dejan Muhamedagic wrote:
> Hi Yan,
>
> On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
>> Hi Andrew,
>>
>> On 02/23/10 17:23, Yan Gao wrote:
>>> On 02/23/10 04:10, Andrew Beekhof wrote:
On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
> Hi Andrew,
>>
On 03/18/10 18:30, Andrew Beekhof wrote:
> On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
>>
>>
>> On 03/18/10 17:11, Andrew Beekhof wrote:
>>> On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
On 03/18/10 16:33, Andrew Beekhof wrote:
> On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
Hi,
On Thu, Mar 18, 2010 at 11:30:10AM +0100, Andrew Beekhof wrote:
> On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
> >
> >
> > On 03/18/10 17:11, Andrew Beekhof wrote:
> >> On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
> >>> On 03/18/10 16:33, Andrew Beekhof wrote:
> On Wed, Mar 17, 2
Hi Yan,
On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote:
> Hi Andrew,
>
> On 02/23/10 17:23, Yan Gao wrote:
> > On 02/23/10 04:10, Andrew Beekhof wrote:
> >> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
> >>> Hi Andrew,
> >>>
> >>> On 02/08/10 17:48, Andrew Beekhof wrote:
> On Th
On Thu, Mar 18, 2010 at 11:10 AM, Yan Gao wrote:
>
>
> On 03/18/10 17:11, Andrew Beekhof wrote:
>> On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
>>> On 03/18/10 16:33, Andrew Beekhof wrote:
On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
> Hi Andrew,
>
> On 02/23/10 17:23, Ya
On 03/18/10 17:11, Andrew Beekhof wrote:
> On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
>> On 03/18/10 16:33, Andrew Beekhof wrote:
>>> On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
Hi Andrew,
On 02/23/10 17:23, Yan Gao wrote:
> On 02/23/10 04:10, Andrew Beekhof wrote:
On Thu, Mar 18, 2010 at 9:53 AM, Yan Gao wrote:
> On 03/18/10 16:33, Andrew Beekhof wrote:
>> On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
>>> Hi Andrew,
>>>
>>> On 02/23/10 17:23, Yan Gao wrote:
On 02/23/10 04:10, Andrew Beekhof wrote:
> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wro
On 03/18/10 16:33, Andrew Beekhof wrote:
> On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
>> Hi Andrew,
>>
>> On 02/23/10 17:23, Yan Gao wrote:
>>> On 02/23/10 04:10, Andrew Beekhof wrote:
On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
> Hi Andrew,
>
> On 02/08/10 17:48, Andre
On Wed, Mar 17, 2010 at 11:12 AM, Yan Gao wrote:
> Hi Andrew,
>
> On 02/23/10 17:23, Yan Gao wrote:
>> On 02/23/10 04:10, Andrew Beekhof wrote:
>>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
Hi Andrew,
On 02/08/10 17:48, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 5:24
Hi Andrew,
On 02/23/10 17:23, Yan Gao wrote:
> On 02/23/10 04:10, Andrew Beekhof wrote:
>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
>>> Hi Andrew,
>>>
>>> On 02/08/10 17:48, Andrew Beekhof wrote:
On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao wrote:
>> And put exclusions for things like
On 02/23/10 04:10, Andrew Beekhof wrote:
> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
>> Hi Andrew,
>>
>> On 02/08/10 17:48, Andrew Beekhof wrote:
>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao wrote:
> And put exclusions for things like passwords before the read for the
> whole cib?
On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao wrote:
> Hi Andrew,
>
> On 02/08/10 17:48, Andrew Beekhof wrote:
>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao wrote:
And put exclusions for things like passwords before the read for the
whole cib?
>>> Yes. We should specify any "deny" and "write"
Hi Andrew,
On 02/08/10 17:48, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao wrote:
>>> And put exclusions for things like passwords before the read for the whole
>>> cib?
>> Yes. We should specify any "deny" and "write" objects before it.
>
> I like the syntax now, but my ori
On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao wrote:
>> And put exclusions for things like passwords before the read for the whole
>> cib?
> Yes. We should specify any "deny" and "write" objects before it.
I like the syntax now, but my original concern (that all the
validation occurs in the client li
On 02/04/10 21:01, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao wrote:
>>
>>
>> On 02/04/10 15:15, Andrew Beekhof wrote:
>>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao wrote:
Andrew Beekhof wrote:
> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
>
> [s
On Thu, Feb 4, 2010 at 8:51 AM, Yan Gao wrote:
>
>
> On 02/04/10 15:15, Andrew Beekhof wrote:
>> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao wrote:
>>>
>>>
>>> Andrew Beekhof wrote:
On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
[snip]
> A configuration example:
> ..
On 02/04/10 15:15, Andrew Beekhof wrote:
> On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao wrote:
>>
>>
>> Andrew Beekhof wrote:
>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
>>>
>>> [snip]
>>>
A configuration example:
..
>>>
On Thu, Feb 4, 2010 at 4:52 AM, Yan Gao wrote:
>
>
> Andrew Beekhof wrote:
>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
>>
>> [snip]
>>
>>> A configuration example:
>>> ..
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> [snip]
>>
>> Quick question, have you tried using crm
On 02/04/10 12:36, Tim Serong wrote:
> On 2/4/2010 at 02:52 PM, Yan Gao wrote:
>>
>> Andrew Beekhof wrote:
>>> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
>>>
>>> [snip]
>>>
A configuration example:
..
On 2/4/2010 at 02:52 PM, Yan Gao wrote:
>
> Andrew Beekhof wrote:
> > On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
> >
> > [snip]
> >
> >> A configuration example:
> >> ..
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > [snip]
> >
> > Quic
Andrew Beekhof wrote:
> On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
>
> [snip]
>
>> A configuration example:
>> ..
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> [snip]
>
> Quick question, have you tried using crm_mon with a configuration like this?
> I'm pretty sure you'll get n
On Tue, Feb 2, 2010 at 6:14 AM, Yan Gao wrote:
[snip]
> A configuration example:
> ..
>
>
>
>
>
>
>
>
>
[snip]
Quick question, have you tried using crm_mon with a configuration like this?
I'm pretty sure you'll get nothing sensible as it can't find the resources.
Migh
Hi,
Sorry for delaying this update so long because of some other works.
The ACL implementation has been improved. As we discussed, two new
functionalities has been added:
* The access control on attributes of elements
* xpath based ACL.
The schema and the corresponding codes has been simplified:
On Wed, Jan 13, 2010 at 11:07 AM, Dejan Muhamedagic wrote:
> Hi,
>
> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
> [...]
>> I don't think you want that.
>> "One user, one role" would be my advice.
>
> Wouldn't that be too restrictive?
I don't see why. It just requires the adm
Hi,
Dejan Muhamedagic wrote:
> Hi Yan,
>
> On Wed, Jan 13, 2010 at 08:49:00PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
>>> [...]
> The user "ygao" is a system account.
> We could define severa
Hi Yan,
On Wed, Jan 13, 2010 at 08:49:00PM +0800, Yan Gao wrote:
> Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
> > [...]
> >>> The user "ygao" is a system account.
> >>> We could define several roles as we wish, such as "admin",
Dejan Muhamedagic wrote:
> Hi,
>
> On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
> [...]
>>> The user "ygao" is a system account.
>>> We could define several roles as we wish, such as "admin",
>>> "operator" and "monitor", which could contain a member list
>>> res
Hi Dejan,
Dejan Muhamedagic wrote:
> Hi Yan,
>
> On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
Hi Dejan,
Dejan Muhamedagic wrote:
> Hi,
>
> On Mon, Jan 11, 20
Andrew Beekhof wrote:
> On Wed, Jan 13, 2010 at 6:21 AM, Yan Gao wrote:
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
Hi Dejan,
Dejan Muhamedagic wrote:
>> The user "ygao" is a system account.
>> We could define several
Andrew Beekhof wrote:
> On Tue, Jan 12, 2010 at 1:06 PM, Yan Gao wrote:
>> Andrew Beekhof wrote:
>>> On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic
>>> wrote:
Hi,
On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> BTW, there're some changes comparing to the origin
Hi,
On Wed, Jan 13, 2010 at 10:04:12AM +0100, Andrew Beekhof wrote:
[...]
> > The user "ygao" is a system account.
> > We could define several roles as we wish, such as "admin",
> > "operator" and "monitor", which could contain a member list
> > respectively if more than one user h
Hi Yan,
On Wed, Jan 13, 2010 at 01:21:29PM +0800, Yan Gao wrote:
> Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
> >> Hi Dejan,
> >>
> >> Dejan Muhamedagic wrote:
> >>> Hi,
> >>>
> >>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> >
On Wed, Jan 13, 2010 at 6:21 AM, Yan Gao wrote:
> Dejan Muhamedagic wrote:
>> Hi,
>>
>> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
>>> Hi Dejan,
>>>
>>> Dejan Muhamedagic wrote:
Hi,
On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> ..
>
>
On Tue, Jan 12, 2010 at 1:06 PM, Yan Gao wrote:
>
> Andrew Beekhof wrote:
>> On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic
>> wrote:
>>> Hi,
>>>
>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>>
>> Ah, I was looking in the patch.
>>
Dejan Muhamedagic wrote:
> Hi,
>
> On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
>> Hi Dejan,
>>
>> Dejan Muhamedagic wrote:
>>> Hi,
>>>
>>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
..
Hi,
On Tue, Jan 12, 2010 at 08:00:56PM +0800, Yan Gao wrote:
> Hi Dejan,
>
> Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> >> ..
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
Andrew Beekhof wrote:
> On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic
> wrote:
>> Hi,
>>
>> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>
> Ah, I was looking in the patch.
>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
Hi Dejan,
Dejan Muhamedagic wrote:
> Hi,
>
> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
>> ..
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
On Tue, Jan 12, 2010 at 10:41 AM, Dejan Muhamedagic wrote:
> Hi,
>
> On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
Ah, I was looking in the patch.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
Hi,
On Mon, Jan 11, 2010 at 09:01:30PM +0800, Yan Gao wrote:
> ..
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I understand that the "ref" element re
On Tue, Jan 12, 2010 at 9:53 AM, Yan Gao wrote:
> Hi Andrew,
>
> Andrew Beekhof wrote:
>> On Mon, Jan 11, 2010 at 4:08 PM, Lars Marowsky-Bree wrote:
>>> In the mean-time, reviewing the syntax is probably quite important too.
>>
>> Has it changed since we discussed it last?
> Yes, it has changed a
Hi Andrew,
Andrew Beekhof wrote:
> On Mon, Jan 11, 2010 at 4:08 PM, Lars Marowsky-Bree wrote:
>> In the mean-time, reviewing the syntax is probably quite important too.
>
> Has it changed since we discussed it last?
Yes, it has changed a bit comparing to the original design.
> I don't see any n
On Mon, Jan 11, 2010 at 4:08 PM, Lars Marowsky-Bree wrote:
> In the mean-time, reviewing the syntax is probably quite important too.
Has it changed since we discussed it last?
I don't see any new examples to comment on.
___
Pacemaker mailing list
Pacem
Hi Lars,
Lars Marowsky-Bree wrote:
> On 2010-01-11T15:02:29, Andrew Beekhof wrote:
>
>>> For this authentication issue of local access we discussed last time, I
>>> added a geteuid() in the cib_native_signon_raw() function from libcib.
>>> Once a client signs on the CIB, it'll invoke the functio
Hi Andrew,
Andrew Beekhof wrote:
> On Mon, Jan 11, 2010 at 2:01 PM, Yan Gao wrote:
>> Hi all, Andrew, Lars,
>>
>> Here's the status update about this feature.
>>
>> I've implemented the main functionalities of ACL, including the ACLs
>> configuration parser, the CIB output filter and the modifica
On 2010-01-11T15:02:29, Andrew Beekhof wrote:
> > For this authentication issue of local access we discussed last time, I
> > added a geteuid() in the cib_native_signon_raw() function from libcib.
> > Once a client signs on the CIB, it'll invoke the function and transfer
> > its uid to the server
On Mon, Jan 11, 2010 at 2:01 PM, Yan Gao wrote:
> Hi all, Andrew, Lars,
>
> Here's the status update about this feature.
>
> I've implemented the main functionalities of ACL, including the ACLs
> configuration parser, the CIB output filter and the modification checker...
>
> Yan Gao wrote:
>> On 1
Hi all, Andrew, Lars,
Here's the status update about this feature.
I've implemented the main functionalities of ACL, including the ACLs
configuration parser, the CIB output filter and the modification checker...
Yan Gao wrote:
> On 12/09/09 18:28, Andrew Beekhof wrote:
>> On Wed, Dec 9, 2009 at
On 12/09/09 18:28, Andrew Beekhof wrote:
> On Wed, Dec 9, 2009 at 11:00 AM, Yan Gao wrote:
>> Hi Andrew, Lars,
>>
>> On 12/08/09 21:16, Lars Marowsky-Bree wrote:
>>> On 2009-12-08T09:22:52, Andrew Beekhof wrote:
>>>
> Basically, we'd like to see an ACL mechanism. It would be implemented at
>>
On Wed, Dec 9, 2009 at 11:00 AM, Yan Gao wrote:
> Hi Andrew, Lars,
>
> On 12/08/09 21:16, Lars Marowsky-Bree wrote:
>> On 2009-12-08T09:22:52, Andrew Beekhof wrote:
>>
Basically, we'd like to see an ACL mechanism. It would be implemented at
the CIB level. So that all the clients - CLI ,
Hi Andrew, Lars,
On 12/08/09 21:16, Lars Marowsky-Bree wrote:
> On 2009-12-08T09:22:52, Andrew Beekhof wrote:
>
>>> Basically, we'd like to see an ACL mechanism. It would be implemented at
>>> the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
>>> could benefit. Clients are
On Tue, Dec 8, 2009 at 2:16 PM, Lars Marowsky-Bree wrote:
> On 2009-12-08T09:22:52, Andrew Beekhof wrote:
>
>> > Basically, we'd like to see an ACL mechanism. It would be implemented at
>> > the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
>> > could benefit. Clients are au
On 2009-12-08T09:22:52, Andrew Beekhof wrote:
> > Basically, we'd like to see an ACL mechanism. It would be implemented at
> > the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... -
> > could benefit. Clients are authenticated via PAM, so we can use uid/gid
> > for identification
On Mon, Dec 7, 2009 at 9:06 AM, Yan Gao wrote:
> Hi all, Andrew,
>
> This planned feature was proposed by Lars. After some discussions
> with Lars and Tim, I'm sharing it here, and looking forward to hearing
> your thoughts and suggestions.
>
> The goal of this feature is to provide different leve
Hi all, Andrew,
This planned feature was proposed by Lars. After some discussions
with Lars and Tim, I'm sharing it here, and looking forward to hearing
your thoughts and suggestions.
The goal of this feature is to provide different levels of
administration to users.
Some of the common scenarios
62 matches
Mail list logo