[Pacemaker] ACL setup
Gao,Yan
ygao at suse.com
Thu Jan 5 09:34:40 CET 2012
On 01/05/12 13:23, Larry Brigman wrote:
> On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <ygao at suse.com
> <mailto:ygao at suse.com>> wrote:
>
> > [root at sweng0096 ~]# crm configure property enable-acl=true
> > [root at sweng0096 ~]# crm
> > crm(live)#
> > role monitor \
> >> read xpath:"/cib"
> > crm(live)configure# user nvs role:monitor
> > crm(live)configure# user acm role:monitor
> > crm(live)configure# commit
> > crm(live)configure# exit
> > bye
> > [root at sweng0096 ~]# su - nvs
> > [nvs at sweng0096 ~]$ crm status
> >
> > Connection to cluster failed: connection failed
> What about:
> # id nvs
> # ls -ld /var/run/crm
> # ls -l /var/run/crm
>
> [root at myname run]# id nvs
> uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)
Any user who wants to access cib should belong to "haclient" group.
That's the prerequisite.
> [root at myname ~]# cd /var/run/crm
> [root at myname crm]# ls
> attrd cib_callback cib_ro cib_rw crmd pengine st_callback st_command
> [root at myname crm]# cd ..
> [root at myname run]# ls -ld crm
> drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm
> [root at myname run]# ls -l crm
> total 0
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd
> srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine
> srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback
> srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command
>
> If I change the crm directory permissions from 750 to 755 then
> things work. Should that be needed?
No. 750 is expected.
>
> Looking at the spec file I find the following:
> %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm
>
> Adding the user to the haclient group works but then the user has
> full write access which isn't what is wanted.
It seems that either the running cib is not built "--with-acl" or acl is
not enabled with "crm configure enable-acl=true". Either of them is not
satisfied, the regular user gets full access.
Regards,
Gaoyan
--
Gao,Yan <ygao at suse.com>
Software Engineer
China Server Team, SUSE.
More information about the Pacemaker
mailing list