[Pacemaker] ACL setup

Larry Brigman larry.brigman at gmail.com
Mon Dec 12 03:37:59 CET 2011


On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <tserong at suse.com> wrote:

> On 12/10/2011 10:35 AM, Larry Brigman wrote:
>
>> On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz <andreas at hastexo.com
>> <mailto:andreas at hastexo.com>> wrote:
>>
>>    Hello Larry,
>>
>>    On 12/09/2011 11:15 PM, Larry Brigman wrote:
>>     > I have installed pacemaker 1.1.5 and configure ACLs based on the
>>    info from
>>     > http://www.clusterlabs.org/**doc/acls.html<http://www.clusterlabs.org/doc/acls.html>
>>     >
>>     > It looks like the user still does not have read access.
>>     >
>>     > Here is the acl section of config
>>     > <acls>
>>     > <acl_role id="monitor">
>>     > <read id="monitor-read" xpath="/cib"/>
>>     > </acl_role>
>>     > <acl_user id="nvs">
>>     > <role_ref id="monitor"/>
>>     > </acl_user>
>>     > <acl_user id="acm">
>>     > <role_ref id="monitor"/>
>>     > </acl_user>
>>     > </acls>
>>     >
>>     > Here is what the user is getting:
>>     > [nvs at sweng0057 ~]$ crm node show
>>     > Signon to CIB failed: connection failed
>>     > Init failed, could not perform requested operations
>>     > ERROR: cannot parse xml: no element found: line 1, column 0
>>     > [nvs at sweng0057 ~]$ crm status
>>     >
>>     > Connection to cluster failed: connection failed
>>     >
>>     >
>>     > Any ideas as to why this wouldn't work and what to fix?
>>
>>    If you really followed exactly the guide ... did you check user nvs
>>    already is in group "haclient"?
>>
>> Thought of that.
>>
>> Adding the user to the haclient group removes any restrictions as I was
>> able to
>> write to the config without error.
>>
>
> Did you set "crm configure property enable-acl=true"?  Without this, all
> users in the haclient group have full access.
>
>
That was the second setting I added or changed.  The first was the schema
to pacemaker-1.1.
Exactly like the acl page.  I verified that both the schema and acl were
configured in with a dump of the xml.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oss.clusterlabs.org/pipermail/pacemaker/attachments/20111211/4b0cbe1b/attachment-0001.html>


More information about the Pacemaker mailing list