Bug 349381 - GFS: Allow fence_egenera to specify ssh login name
Summary: GFS: Allow fence_egenera to specify ssh login name
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cman
Version: 5.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Jim Parsons
QA Contact: Cluster QE
URL:
Whiteboard:
: 236090 (view as bug list)
Depends On: 437166 438028
Blocks: 391501 445931 488958
TreeView+ depends on / blocked
 
Reported: 2007-10-23 19:51 UTC by Issue Tracker
Modified: 2018-10-20 00:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
: 488958 (view as bug list)
Environment:
Last Closed: 2009-01-20 21:50:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch: add support for option user to fence agent egenera (2.27 KB, patch)
2008-02-27 13:36 UTC, Marek Grac 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0189 0 normal SHIPPED_LIVE cman bug-fix and enhancement update 2009-01-20 16:05:55 UTC

Description Issue Tracker 2007-10-23 19:51:31 UTC 
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2007-10-23 19:51:33 UTC 
Below is the enhancement request made in RedHat Bugzilla #236090 (https://bugzilla.redhat.com/show_bug.cgi?id=236090).  This is an important security enhancement that the US Census Bureau requires.  This affects RHEL4 and RHEL5.


Description of problem:
ENHANCEMENT: Allow fence_egenera to specify ssh login name.  Currently, it only
logs into the cBlade for a fencing operation as the user that ran the script,
and practically speaking, that is always the root user.

Version-Release number of selected component (if applicable):
4

How reproducible:
N/A

Steps to Reproduce:
1.N/A
2.N/A
3.N/A
  
Actual results:
N/A

Expected results:
N/A

Additional info:
The current fence_egenera script logs into the cBlade as root for a fencing
operation.  This is preventing a security-conscious client from deploying GFS
clusters in their DMZ environment.  Doing SCSI-3 PR in this environment is not
yet a viable option.
This event sent from IssueTracker by jwilleford  [Census]
 issue 135456
Comment 2 Jason Willeford 2007-10-23 19:53:36 UTC 
Preferably, the default user name for this enhancement would be 'fence', or
something similar.  This may or may not cause package update issues.  On the
BladeFrame, user 'fence' would have to have rights to the LPAN(s) containing the
servers (and corresponding blades) it needs to be able to fence.  This note
would have to be added to the documentation for fence_egenera.
Comment 5 Neal Pitts 2008-02-20 21:15:52 UTC 
*** Bug 236090 has been marked as a duplicate of this bug. ***
Comment 6 Marek Grac 2008-02-27 13:36:28 UTC 
Created attachment 296061 [details]
Patch: add support for option user to fence agent egenera
Comment 9 Chris Ward 2008-11-28 07:12:29 UTC 
Partners, this bug should be fixed in the latest RHEL 5.3 Snapshot. We believe that you have some interest in its correct functionality, so we're making a friendly request to send us some testing feedback. 

If you have a chance to test it, please share with us your findings. If you have successfully VERIFIED the fix, please add PartnerVerified to the Bugzilla keywords, along with a description of the results. Thanks!
Comment 11 errata-xmlrpc 2009-01-20 21:50:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0189.html
Note You need to log in before you can comment on or make changes to this bug.