<br><br><div class="gmail_quote">On Thu, Jan 5, 2012 at 12:34 AM, Gao,Yan <span dir="ltr"><<a href="mailto:ygao@suse.com">ygao@suse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">On 01/05/12 13:23, Larry Brigman wrote:<br>
> On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <<a href="mailto:ygao@suse.com">ygao@suse.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:ygao@suse.com">ygao@suse.com</a>>> wrote:<br>
><br>
> > [root@sweng0096 ~]# crm configure property enable-acl=true<br>
> > [root@sweng0096 ~]# crm<br>
> > crm(live)#<br>
> > role monitor \<br>
> >> read xpath:"/cib"<br>
> > crm(live)configure# user nvs role:monitor<br>
> > crm(live)configure# user acm role:monitor<br>
> > crm(live)configure# commit<br>
> > crm(live)configure# exit<br>
> > bye<br>
> > [root@sweng0096 ~]# su - nvs<br>
> > [nvs@sweng0096 ~]$ crm status<br>
> ><br>
> > Connection to cluster failed: connection failed<br>
> What about:<br>
> # id nvs<br>
> # ls -ld /var/run/crm<br>
> # ls -l /var/run/crm<br>
><br>
> [root@myname run]# id nvs<br>
> uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)<br>
</div>Any user who wants to access cib should belong to "haclient" group.<br>
That's the prerequisite.<br>
<div class="im"><br>
> [root@myname ~]# cd /var/run/crm<br>
> [root@myname crm]# ls<br>
> attrd cib_callback cib_ro cib_rw crmd pengine st_callback st_command<br>
> [root@myname crm]# cd ..<br>
> [root@myname run]# ls -ld crm<br>
> drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm<br>
> [root@myname run]# ls -l crm<br>
> total 0<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd<br>
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine<br>
> srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback<br>
> srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command<br>
><br>
> If I change the crm directory permissions from 750 to 755 then<br>
> things work. Should that be needed?<br>
</div>No. 750 is expected.<br>
<div class="im"><br>
><br>
> Looking at the spec file I find the following:<br>
> %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm<br>
><br>
> Adding the user to the haclient group works but then the user has<br>
> full write access which isn't what is wanted.<br>
</div>It seems that either the running cib is not built "--with-acl" or acl is<br>
not enabled with "crm configure enable-acl=true". Either of them is not<br>
satisfied, the regular user gets full access.<br></blockquote><div> </div><br></div>The last piece, last time was that the users were not in the haclient group.<br><br>I now have all of that automated during our install but the users are still getting<br>
an error for access for a time after this is configured, then it starts working.<br>We don't have any exiting changes going into the cib. The only thing that I did<br>that might have caused this to start working but it wasn't a write:<br>
cibadmin --query<br>After that command things seem to work for a role based user with read only access.<br><br><br><br>