Add rootwrap to Horizon
openstack/
[1] https:/
Related commit: https:/
Blueprint information
- Status:
- Complete
- Approver:
- Gabriel Hurley
- Priority:
- Low
- Drafter:
- Dan Varga
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Not started
- Milestone target:
- None
- Started by
- Completed by
- Matthias Runge
Related branches
Related bugs
Sprints
Whiteboard
[2013-08-06 | Gabriel] My initial feeling is that your webserver process should be run in isolation; e.g. there shouldn't be anything you'd want to shell out *to* in the same execution context. Other services ought to be run in their own contexts and have published APIs/endpoints to talk to. That's more or less the guiding principle for Horizon's design. I'm open to hearing use cases for this, but the bar for acceptance will be data sources/services which absolutely *must* be run in the same context as Horizon.
[2013-08-06 | Dan] My use case for rootwrap is to be able to reach down and obtain log files and diagnostic data via the sosreport command. This command must be run as root and does not have a daemon/API. My dashboard plugin makes obtaining this information, and sending it up to support for analysis simple. Rootwrap is incredibly restrictive by default and requires root owned files "filters" be installed for a white list of commands to execute (this list would be supplied by the plugin). More generically a plugin writer at Company X may want to shell out and execute some command as root. Horizon is the likely spot of this type of integration since it is the "face" of OpenStack and the place to expose additional vendor specific UI/Usability enhancements.