Bug 484047

Summary: RFE: Provide configurable uid based aisexec access
Product: [Fedora] Fedora Reporter: Justin Ross <jross>
Component: corosyncAssignee: Jan Friesse <jfriesse>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: aconway, agk, cluster-maint, fdinitto, sdake
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 501337 (view as bug list) Environment:
Last Closed: 2009-05-20 13:31:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 501337    
Attachments:
Description Flags
Patch fixing this problem none

Description Justin Ross 2009-02-04 14:29:53 UTC 
At present, the qpid project sets the primary group of the qpidd daemon to openais in order to enable communication with aisexec.

We'd prefer to have some other means of doing this, because changing the group has implications for any system admin based on groups.

An alternative, where specific uids are granted access, was discussed in irc:

<sdake_> jross can i aks some questions about your requirements
<jross> sdake_, certainly
<sdake_> would putting a uid name in /etc/openais.conf be a suitable solution for you?
<jross> sdake_, yes, but it would be a little suboptimal from a packaging standpoint.  we'd prefer a way to dump some openais conf in something like /etc/openais.d/
<sdake_> so /etc/openais/security
<sdake_> and in that dir would contain a file qpid-uid
<jross> that would be great
<sdake_> and in qpid-uid would contain a uid for qpid?
<jross> yeah
<sdake_> ok
Comment 4 Steven Dake 2009-05-12 08:26:32 UTC 
Honzaf is going to work on this feature for corosync trunk.  Need by May 15-20th.
Comment 6 Jan Friesse 2009-05-18 13:52:34 UTC 
Created attachment 344438 [details]
Patch fixing this problem

Section is named uidgid and can contains only uid and gid keys. Files should be placed in /etc/ais/uidgid.d/ (separate patch solves this, so every configuration is in /etc/corosync/uidgid.d)
Comment 8 Jan Friesse 2009-05-20 13:31:16 UTC 
Code (with change to /etc/corosync) pushed to upstream, so I'm closing bug.