Hi, On Thu, Mar 18, 2010 at 07:49:04PM +0800, Yan Gao wrote: > Hi Dejan, > > On 03/18/10 19:23, Dejan Muhamedagic wrote: > > Hi Yan, > > > > On Wed, Mar 17, 2010 at 06:12:24PM +0800, Yan Gao wrote: > >> Hi Andrew, > >> > >> On 02/23/10 17:23, Yan Gao wrote: > >>> On 02/23/10 04:10, Andrew Beekhof wrote: > >>>> On Mon, Feb 22, 2010 at 8:58 AM, Yan Gao <y...@novell.com> wrote: > >>>>> Hi Andrew, > >>>>> > >>>>> On 02/08/10 17:48, Andrew Beekhof wrote: > >>>>>> On Thu, Feb 4, 2010 at 5:24 PM, Yan Gao <y...@novell.com> wrote: > >>>>>>>> And put exclusions for things like passwords before the read for > >>>>>>>> the whole cib? > >>>>>>> Yes. We should specify any "deny" and "write" objects before it. > >>>>>> > >>>>>> I like the syntax now, but my original concern (that all the > >>>>>> validation occurs in the client library) remains... so this still > >>>>>> isn't providing any real security. > >>>>> Right. If it's impossible for cib to run as root, > >>>> > >>>> If you need root for this, I think we can allow that change for 1.1. > >>>> > >>> Great! So PAM is still preferred. Anyway, I'll have a dig at different > >>> ways. I think we can make that change when the authentication is ready, > >>> and if it's necessary. > >> After investigating, I found that Unix domain sockets provide methods to > >> identify the user on the other side of a socket. That means we don't need > >> PAM to do authentication for local access, and the clients doesn't need > >> to prompt user to input and transfer username/password to the server. > >> And cib daemon still can run as "hacluster". > >> > >> I've improved the ipcsocket library of cluster-glue to record user's > >> identity > >> info for cib to use. > >> > >> The behavior of remote access to the cib is still like before. > >> > >> Attached the patch for cluster-glue and the updated patch for pacemaker. > >> Looking > >> forward to your review and comments. Thanks! > > > > The patch for cluster-glue looks ok, but the existing crm_mon > > segfaults. Pacemaker has to be rebuilt too because the data > > structure changed. > Indeed. > > > With pacemaker 1.0.8 already out, this patch > > can't be applied to the cluster-glue just now. > Perhaps after releasing a new version of cluster-glue or also a devel > branch?
Yes, this looks like a reason enough to create a development branch. But it may take a bit of time, since it's been very busy lately. Cheers, Dejan > Regards, > Yan > -- > Yan Gao <y...@novell.com> > Software Engineer > China Server Team, OPS Engineering, Novell, Inc. > > _______________________________________________ > Pacemaker mailing list > Pacemaker@oss.clusterlabs.org > http://oss.clusterlabs.org/mailman/listinfo/pacemaker _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
