Revision d14c222a
b/doc/design-2.3.rst | ||
---|---|---|
723 | 723 |
============================ =================== ==================== |
724 | 724 |
|
725 | 725 |
|
726 |
Privilege Separation |
|
727 |
-------------------- |
|
728 |
|
|
729 |
Current state and short comings |
|
730 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
731 |
|
|
732 |
As of Ganeti 2.2 we introduced privilege separation. This was affecting |
|
733 |
just Ganeti RAPI and also that just in a quickly short term solution. In |
|
734 |
this release we iterate again over it and make it more advanced and |
|
735 |
stable. This also means we'll remove the privilege separation again from |
|
736 |
the core and put it completely external so the daemons will be started |
|
737 |
on the final user already. |
|
738 |
|
|
739 |
Additionally this involves removing SSH code out auf bootstrap and core |
|
740 |
component and put it into a separate script. This means every |
|
741 |
daemon/script will assume that a working ssh setup is in place. |
|
742 |
|
|
743 |
Implementation |
|
744 |
~~~~~~~~~~~~~~ |
|
745 |
|
|
746 |
We need to partially revert changes done in Ganeti 2.2 to move on the |
|
747 |
long term solution. This involves removing the drop privileges code in |
|
748 |
``daemons.py`` as this is already done on startup time by |
|
749 |
``start-stop-daemon`` util. |
|
750 |
|
|
751 |
The ssh code will be separated into one single script called upon |
|
752 |
``gnt-node add`` which guarantees that the SSH setup is done and |
|
753 |
functioning. |
|
754 |
|
|
755 |
Additionally some of the utils.WriteFile calls needs to be adjusted |
|
756 |
for the new permissions and ownerships. |
|
757 |
|
|
758 |
Security Domains |
|
759 |
~~~~~~~~~~~~~~~~ |
|
760 |
|
|
761 |
In order to separate the permissions of file sets we separate them |
|
762 |
into the following 3 overall security domain chunks: |
|
763 |
|
|
764 |
1. Public: ``0755`` respectively ``0644`` |
|
765 |
2. Ganeti wide: shared between the daemons (gntdaemons) |
|
766 |
3. Secret files: shared just between a specified set of daemons/users |
|
767 |
|
|
768 |
So for point 3 this tables shows the correlation of the sets to groups |
|
769 |
and their users: |
|
770 |
|
|
771 |
=== ========== ============================== ========================== |
|
772 |
Set Group Users Description |
|
773 |
=== ========== ============================== ========================== |
|
774 |
A gntrapi gntrapi, gntmasterd Share data between |
|
775 |
gntrapi & gntmasterd |
|
776 |
B gntadmins gntrapi, gntmasterd, *users* Shared between users who |
|
777 |
needs to call gntmasterd |
|
778 |
C gntconfd gntconfd, gntmasterd Share data between |
|
779 |
gntconfd & gntmasterd |
|
780 |
D gntmasterd gntmasterd masterd only; Currently |
|
781 |
only to redistribute the |
|
782 |
configuration, has access |
|
783 |
to all files under |
|
784 |
``lib/ganeti`` |
|
785 |
E gntdaemons gntmasterd, gntrapi, gntconfd Shared between the various |
|
786 |
Ganeti daemons to exchange |
|
787 |
data |
|
788 |
=== ========== ============================== ========================== |
|
789 |
|
|
790 |
Restricted commands |
|
791 |
~~~~~~~~~~~~~~~~~~~ |
|
792 |
|
|
793 |
The following commands needs still root to fulfill their functions: |
|
794 |
|
|
795 |
:: |
|
796 |
|
|
797 |
gnt-cluster {init|destroy|command|copyfile|rename|masterfailover|renew-crypto} |
|
798 |
gnt-node {add|remove} |
|
799 |
gnt-instance {console} |
|
800 |
|
|
801 |
Directory structure & permissions |
|
802 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
803 |
|
|
804 |
Here's how we propose to change the filesystem hierachy and their |
|
805 |
permissions. |
|
806 |
|
|
807 |
Assuming it follows the defaults: ``gnt${daemon}`` for user and |
|
808 |
the groups from the section `Security Domains`_:: |
|
809 |
|
|
810 |
${localstatedir}/lib/ganeti/ (0755; gntmasterd:gntmasterd) |
|
811 |
cluster-domain-secret (0600; gntmasterd:gntmasterd) |
|
812 |
config.data (0640; gntmasterd:gntconfd) |
|
813 |
hmac.key (0440; gntmasterd:gntconfd) |
|
814 |
known_host (0644; gntmasterd:gntmasterd) |
|
815 |
queue/ (0700; gntmasterd:gntmasterd) |
|
816 |
archive/ (0700; gntmasterd:gntmasterd) |
|
817 |
* (0600; gntmasterd:gntmasterd) |
|
818 |
* (0600; gntmasterd:gntmasterd) |
|
819 |
rapi.pem (0440; gntrapi:gntrapi) |
|
820 |
rapi_users (0640; gntrapi:gntrapi) |
|
821 |
server.pem (0440; gntmasterd:gntmasterd) |
|
822 |
ssconf_* (0444; root:gntmasterd) |
|
823 |
uidpool/ (0750; root:gntmasterd) |
|
824 |
watcher.data (0600; root:gntmasterd) |
|
825 |
${localstatedir}/run/ganeti/ (0770; gntmasterd:gntdaemons) |
|
826 |
socket/ (0750; gntmasterd:gntadmins) |
|
827 |
ganeti-master (0770; gntmasterd:gntadmins) |
|
828 |
${localstatedir}/log/ganeti/ (0770; gntmasterd:gntdaemons) |
|
829 |
master-daemon.log (0600; gntmasterd:gntdaemons) |
|
830 |
rapi-daemon.log (0600; gntrapi:gntdaemons) |
|
831 |
conf-daemon.log (0600; gntconfd:gntdaemons) |
|
832 |
node-daemon.log (0600; gntnoded:gntdaemons) |
|
833 |
|
|
834 |
|
|
726 | 835 |
Feature changes |
727 | 836 |
=============== |
728 | 837 |
|
Also available in: Unified diff