[Openstack] RFC: Plugin framework draft

Thierry Carrez thierry at openstack.org
Mon May 21 12:53:54 UTC 2012


Andrew Bogott wrote:
> Remaining tasks:
> 
> - Extending rootwrap (or, specifically, getting gluster into sudo somehow)

I started looking into the security model around adding run-as-root
commands. You obviously can't rely on code run as the nova user to "plug
in" new run-as-root commands, as it would defeat the security model.

I still need to polish the model, but the idea would be to rely on a
root-owned configuration directory (think /etc/nova/rootwrap.d) in which
the filters would be described. The directory would be specified
directly on the root_helper option, and authorized by the sudoers file.
The filters configuration files would replace the current static
rootwrap.{compute,network...} files.

So a plug-in that wants to add nova run-as-root commands would just have
to drop an extra file in that directory, as part of its install.

Thoughts ?

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack




More information about the Openstack mailing list