<div class="gmail_quote">On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <span dir="ltr"><<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 12/12/2011 03:37 AM, Larry Brigman wrote:<br>
><br>
><br>
> On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <<a href="mailto:tserong@suse.com">tserong@suse.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:tserong@suse.com">tserong@suse.com</a>>> wrote:<br>
><br>
> On 12/10/2011 10:35 AM, Larry Brigman wrote:<br>
><br>
> On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz<br>
> <<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a> <mailto:<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a>><br>
</div><div class="im">> <mailto:<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a> <mailto:<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a>>>> wrote:<br>
><br>
> Hello Larry,<br>
><br>
> On 12/09/2011 11:15 PM, Larry Brigman wrote:<br>
> > I have installed pacemaker 1.1.5 and configure ACLs based<br>
> on the<br>
> info from<br>
</div>> > <a href="http://www.clusterlabs.org/__doc/acls.html" target="_blank">http://www.clusterlabs.org/__doc/acls.html</a><br>
<div><div class="h5">> <<a href="http://www.clusterlabs.org/doc/acls.html" target="_blank">http://www.clusterlabs.org/doc/acls.html</a>><br>
> ><br>
> > It looks like the user still does not have read access.<br>
> ><br>
> > Here is the acl section of config<br>
> > <acls><br>
> > <acl_role id="monitor"><br>
> > <read id="monitor-read" xpath="/cib"/><br>
> > </acl_role><br>
> > <acl_user id="nvs"><br>
> > <role_ref id="monitor"/><br>
> > </acl_user><br>
> > <acl_user id="acm"><br>
> > <role_ref id="monitor"/><br>
> > </acl_user><br>
> > </acls><br>
> ><br>
> > Here is what the user is getting:<br>
> > [nvs@sweng0057 ~]$ crm node show<br>
> > Signon to CIB failed: connection failed<br>
> > Init failed, could not perform requested operations<br>
> > ERROR: cannot parse xml: no element found: line 1, column 0<br>
> > [nvs@sweng0057 ~]$ crm status<br>
> ><br>
> > Connection to cluster failed: connection failed<br>
> ><br>
> ><br>
> > Any ideas as to why this wouldn't work and what to fix?<br>
><br>
> If you really followed exactly the guide ... did you check<br>
> user nvs<br>
> already is in group "haclient"?<br>
><br>
> Thought of that.<br>
><br>
> Adding the user to the haclient group removes any restrictions<br>
> as I was<br>
> able to<br>
> write to the config without error.<br>
><br>
><br>
> Did you set "crm configure property enable-acl=true"? Without this,<br>
> all users in the haclient group have full access.<br>
><br>
><br>
> That was the second setting I added or changed. The first was the<br>
> schema to pacemaker-1.1.<br>
> Exactly like the acl page. I verified that both the schema and acl were<br>
> configured in with a dump of the xml.<br>
<br>
</div></div>Your pacemaker build has acls enabled? ... "cibadmin -!" or "crm_report<br>
--features" should list the builtin features.<br>
<div class="im HOEnZb"><br></div></blockquote></div><br>[root@sweng0057 ~]# cibadmin -!<br>Pacemaker 1.1.5-1.1.sme (Build: 01e86afaaa6d4a8c4836f68df80ababd6ca3902f): docbook-manpages ncurses cs-quorum corosync<br><br>Not enabled....<br>
<br>That explains it. The configure script doesn't enable acls by default so it's not built with<br>them.<br><br>I'll make another pass when I rebuild my rpm package.<br><br><br><br>