<div class="gmail_quote">On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz <span dir="ltr"><<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hello Larry,<br>
<div><div class="h5"><br>
On 12/09/2011 11:15 PM, Larry Brigman wrote:<br>
> I have installed pacemaker 1.1.5 and configure ACLs based on the info from<br>
> <a href="http://www.clusterlabs.org/doc/acls.html" target="_blank">http://www.clusterlabs.org/doc/acls.html</a><br>
><br>
> It looks like the user still does not have read access.<br>
><br>
> Here is the acl section of config<br>
> <acls><br>
> <acl_role id="monitor"><br>
> <read id="monitor-read" xpath="/cib"/><br>
> </acl_role><br>
> <acl_user id="nvs"><br>
> <role_ref id="monitor"/><br>
> </acl_user><br>
> <acl_user id="acm"><br>
> <role_ref id="monitor"/><br>
> </acl_user><br>
> </acls><br>
><br>
> Here is what the user is getting:<br>
> [nvs@sweng0057 ~]$ crm node show<br>
> Signon to CIB failed: connection failed<br>
> Init failed, could not perform requested operations<br>
> ERROR: cannot parse xml: no element found: line 1, column 0<br>
> [nvs@sweng0057 ~]$ crm status<br>
><br>
> Connection to cluster failed: connection failed<br>
><br>
><br>
> Any ideas as to why this wouldn't work and what to fix?<br>
<br>
</div></div>If you really followed exactly the guide ... did you check user nvs<br>
already is in group "haclient"?<br></blockquote><div>Thought of that.<br><br>Adding the user to the haclient group removes any restrictions as I was able to <br>write to the config without error.<br> <br></div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
You may only need to "reload" group membership for nvs by doing a<br>
logout/login or a "su - nvs".<br>
<br></blockquote></div><br>Also did a logout/login and rerun the commands. With the info as written, it doesn't work<br>for me. At the suggestion from one of my developers I changed the role from monitor<br>to view. This forced me to remove the user as I could not add a new role to the same<br>
user. No success.<br><br>