[Pacemaker] ACL setup
Larry Brigman
larry.brigman at gmail.com
Fri Jan 13 19:55:30 CET 2012
On Thu, Jan 5, 2012 at 12:34 AM, Gao,Yan <ygao at suse.com> wrote:
> On 01/05/12 13:23, Larry Brigman wrote:
> > On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <ygao at suse.com
> > <mailto:ygao at suse.com>> wrote:
> >
> > > [root at sweng0096 ~]# crm configure property enable-acl=true
> > > [root at sweng0096 ~]# crm
> > > crm(live)#
> > > role monitor \
> > >> read xpath:"/cib"
> > > crm(live)configure# user nvs role:monitor
> > > crm(live)configure# user acm role:monitor
> > > crm(live)configure# commit
> > > crm(live)configure# exit
> > > bye
> > > [root at sweng0096 ~]# su - nvs
> > > [nvs at sweng0096 ~]$ crm status
> > >
> > > Connection to cluster failed: connection failed
> > What about:
> > # id nvs
> > # ls -ld /var/run/crm
> > # ls -l /var/run/crm
> >
> > [root at myname run]# id nvs
> > uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)
> Any user who wants to access cib should belong to "haclient" group.
> That's the prerequisite.
>
> > [root at myname ~]# cd /var/run/crm
> > [root at myname crm]# ls
> > attrd cib_callback cib_ro cib_rw crmd pengine st_callback
> st_command
> > [root at myname crm]# cd ..
> > [root at myname run]# ls -ld crm
> > drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm
> > [root at myname run]# ls -l crm
> > total 0
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd
> > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine
> > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback
> > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command
> >
> > If I change the crm directory permissions from 750 to 755 then
> > things work. Should that be needed?
> No. 750 is expected.
>
> >
> > Looking at the spec file I find the following:
> > %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm
> >
> > Adding the user to the haclient group works but then the user has
> > full write access which isn't what is wanted.
> It seems that either the running cib is not built "--with-acl" or acl is
> not enabled with "crm configure enable-acl=true". Either of them is not
> satisfied, the regular user gets full access.
>
The last piece, last time was that the users were not in the haclient group.
I now have all of that automated during our install but the users are still
getting
an error for access for a time after this is configured, then it starts
working.
We don't have any exiting changes going into the cib. The only thing that
I did
that might have caused this to start working but it wasn't a write:
cibadmin --query
After that command things seem to work for a role based user with read only
access.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oss.clusterlabs.org/pipermail/pacemaker/attachments/20120113/07b402f8/attachment.html>
More information about the Pacemaker
mailing list