<div class="gmail_quote">On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <span dir="ltr"><<a href="mailto:ygao@suse.com">ygao@suse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Larry,<br>
<div class="im"><br>
On 01/05/12 02:53, Larry Brigman wrote:<br>
> On Mon, Dec 12, 2011 at 9:48 PM, Larry Brigman <<a href="mailto:larry.brigman@gmail.com">larry.brigman@gmail.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:larry.brigman@gmail.com">larry.brigman@gmail.com</a>>> wrote:<br>
><br>
> On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:andreas@hastexo.com">andreas@hastexo.com</a>>> wrote:<br>
><br>
> On 12/12/2011 03:37 AM, Larry Brigman wrote:<br>
><br>
> ....<br>
> [root@sweng0057 ~]# cibadmin -!<br>
> Pacemaker 1.1.5-1.1.sme (Build:<br>
> 01e86afaaa6d4a8c4836f68df80ababd6ca3902f): docbook-manpages ncurses<br>
> cs-quorum corosync<br>
><br>
> Not enabled....<br>
><br>
> That explains it. The configure script doesn't enable acls by<br>
> default so it's not built with<br>
> them.<br>
><br>
> I'll make another pass when I rebuild my rpm package.<br>
><br>
> Testing new build still doesn't work when acl is enabled.<br>
><br>
> cibadmin -!<br>
> Pacemaker 1.1.5-1.2.sme (Build:<br>
> 01e86afaaa6d4a8c4836f68df80ababd6ca3902f): docbook-manpages ncurses<br>
> cs-quorum corosync acl<br>
> [root@sweng0096 ~]# cibadmin --modify --xml-text '<cib<br>
> validate-with="pacemaker-1.1"/>'<br>
</div>This is not required any more. "pacemaker-1.2" schema support ACL too.<br>
<div class="im"><br>
> [root@sweng0096 ~]# crm configure property enable-acl=true<br>
> [root@sweng0096 ~]# crm<br>
> crm(live)#<br>
> role monitor \<br>
>> read xpath:"/cib"<br>
> crm(live)configure# user nvs role:monitor<br>
> crm(live)configure# user acm role:monitor<br>
> crm(live)configure# commit<br>
> crm(live)configure# exit<br>
> bye<br>
> [root@sweng0096 ~]# su - nvs<br>
> [nvs@sweng0096 ~]$ crm status<br>
><br>
> Connection to cluster failed: connection failed<br>
</div>What about:<br>
# id nvs<br>
# ls -ld /var/run/crm<br>
# ls -l /var/run/crm<br>
<div class="im"><br></div></blockquote><div> [root@myname run]# id nvs</div><div>uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)</div><div> [root@myname ~]# cd /var/run/crm</div><div>[root@myname crm]# ls</div><div>attrd cib_callback cib_ro cib_rw crmd pengine st_callback st_command</div>
<div>[root@myname crm]# cd ..</div><div>[root@myname run]# ls -ld crm</div><div>drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm</div><div>[root@myname run]# ls -l crm</div><div>total 0</div><div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd</div>
<div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback</div><div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro</div><div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw</div><div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd</div>
<div>srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine</div><div>srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback</div><div>srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command</div><div><br></div><div>If I change the crm directory permissions from 750 to 755 then</div>
<div>things work. Should that be needed? </div><div><br></div><div>Looking at the spec file I find the following:</div><div><div>%dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm</div></div><div><br></div><div>Adding the user to the haclient group works but then the user has</div>
<div>full write access which isn't what is wanted.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
><br>
><br>
> [root@sweng0096 ~]# cibadmin --query<br>
> output modified to only include relevent portions.<br>
> <cib epoch="16" num_updates="17" admin_epoch="0"<br>
> validate-with="pacemaker-1.1" crm_feature_set="3.0.5" have-quorum="0"<br>
> cib-last-written="Wed Jan 4 10:29:16 2012"<br>
</div>> dc-uuid="<a href="http://sweng0096.lab.c-cor.com" target="_blank">sweng0096.lab.c-cor.com</a> <<a href="http://sweng0096.lab.c-cor.com" target="_blank">http://sweng0096.lab.c-cor.com</a>>"><br>
<div class="im HOEnZb">> <configuration><br>
> <crm_config><br>
> <cluster_property_set id="cib-bootstrap-options"><br>
> ...<br>
> <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"<br>
> value="true"/><br>
> </cluster_property_set><br>
> ...<br>
> <acls><br>
> <acl_role id="monitor"><br>
> <read id="monitor-read" xpath="/cib"/><br>
> </acl_role><br>
> <acl_user id="nvs"><br>
> <role_ref id="monitor"/><br>
> </acl_user><br>
> <acl_user id="acm"><br>
> <role_ref id="monitor"/><br>
> </acl_user><br>
> </acls><br>
> </configuration><br>
> ...<br>
> </cib><br>
><br>
</div><span class="HOEnZb"><font color="#888888">--<br>
Gao,Yan <<a href="mailto:ygao@suse.com">ygao@suse.com</a>><br>
Software Engineer<br>
China Server Team, SUSE.<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Pacemaker mailing list: <a href="mailto:Pacemaker@oss.clusterlabs.org">Pacemaker@oss.clusterlabs.org</a><br>
<a href="http://oss.clusterlabs.org/mailman/listinfo/pacemaker" target="_blank">http://oss.clusterlabs.org/mailman/listinfo/pacemaker</a><br>
<br>
Project Home: <a href="http://www.clusterlabs.org" target="_blank">http://www.clusterlabs.org</a><br>
Getting started: <a href="http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf" target="_blank">http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf</a><br>
Bugs: <a href="http://bugs.clusterlabs.org" target="_blank">http://bugs.clusterlabs.org</a><br>
</div></div></blockquote></div><br>