Open Stack

On 5/21/12 7:53 AM, Thierry Carrez wrote:
> Andrew Bogott wrote:
>> Remaining tasks:
>>
>> - Extending rootwrap (or, specifically, getting gluster into sudo somehow)
> I started looking into the security model around adding run-as-root
> commands. You obviously can't rely on code run as the nova user to "plug
> in" new run-as-root commands, as it would defeat the security model.
>
> I still need to polish the model, but the idea would be to rely on a
> root-owned configuration directory (think /etc/nova/rootwrap.d) in which
> the filters would be described. The directory would be specified
> directly on the root_helper option, and authorized by the sudoers file.
> The filters configuration files would replace the current static
> rootwrap.{compute,network...} files.
>
> So a plug-in that wants to add nova run-as-root commands would just have
> to drop an extra file in that directory, as part of its install.

That sounds perfectly reasonable.

I don't immediately know the proper way to do that using pip and 
setup.py, but since they run as root it should be trivial to create a 
new file at install time.  I can only hope that there's an equivalent 
option during uninstall.