[Pacemaker] ACL setup
Larry Brigman
larry.brigman at gmail.com
Mon Dec 12 03:37:59 CET 2011
On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <tserong at suse.com> wrote:
> On 12/10/2011 10:35 AM, Larry Brigman wrote:
>
>> On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz <andreas at hastexo.com
>> <mailto:andreas at hastexo.com>> wrote:
>>
>> Hello Larry,
>>
>> On 12/09/2011 11:15 PM, Larry Brigman wrote:
>> > I have installed pacemaker 1.1.5 and configure ACLs based on the
>> info from
>> > http://www.clusterlabs.org/**doc/acls.html<http://www.clusterlabs.org/doc/acls.html>
>> >
>> > It looks like the user still does not have read access.
>> >
>> > Here is the acl section of config
>> > <acls>
>> > <acl_role id="monitor">
>> > <read id="monitor-read" xpath="/cib"/>
>> > </acl_role>
>> > <acl_user id="nvs">
>> > <role_ref id="monitor"/>
>> > </acl_user>
>> > <acl_user id="acm">
>> > <role_ref id="monitor"/>
>> > </acl_user>
>> > </acls>
>> >
>> > Here is what the user is getting:
>> > [nvs at sweng0057 ~]$ crm node show
>> > Signon to CIB failed: connection failed
>> > Init failed, could not perform requested operations
>> > ERROR: cannot parse xml: no element found: line 1, column 0
>> > [nvs at sweng0057 ~]$ crm status
>> >
>> > Connection to cluster failed: connection failed
>> >
>> >
>> > Any ideas as to why this wouldn't work and what to fix?
>>
>> If you really followed exactly the guide ... did you check user nvs
>> already is in group "haclient"?
>>
>> Thought of that.
>>
>> Adding the user to the haclient group removes any restrictions as I was
>> able to
>> write to the config without error.
>>
>
> Did you set "crm configure property enable-acl=true"? Without this, all
> users in the haclient group have full access.
>
>
That was the second setting I added or changed. The first was the schema
to pacemaker-1.1.
Exactly like the acl page. I verified that both the schema and acl were
configured in with a dump of the xml.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oss.clusterlabs.org/pipermail/pacemaker/attachments/20111211/4b0cbe1b/attachment-0001.html>
More information about the Pacemaker
mailing list