Cluster suggestion [cluster_config]

[Svinto]

I've search the forum and didn't see this posted. Also I'm new here.
If my suggestion is far-fetched I apologize in advance. Feedback are appreciated.

Problem
The new cluster options are great. I just miss one feature:
Be able to update the cluster ip list on all servers without compromising security.

Explanation
I like the ability to change the csf.conf from one server and push them out to all other servers. This is especially necessary when adding new servers to the cluster.
We add/remove servers in our server park quite frequently so editing the cluster ip list on all servers manually is not an option.

BUT allowing CLUSTER_CONFIG on all servers is a very big security risk.
If one server is compromised then all firewalls on all servers could be taken down.

Suggestion
I suggest that a special authentication (public-private key) can be used to change the csf.conf, OR at least change the cluster ip lists.
Maybe even a extra list of IP-numbers who are allowed to do this.

[chirpy]

I did think of this when writing the code for the CLUSTER options. The problem remains the same though, if one server is root compromised, you are still able to modify the whole cluster from that node.

Modification of the csf.conf values could very easily allow remote access to the root account on all of the servers in the cluster.

The only way I can think of to restrict such an issue would be to elect one single server in the cluster that is allowed to issue the configuration changes to the others, and you hope that that one is never compromised