[Pacemaker] ACL setup

Gao,Yan ygao at suse.com
Thu Jan 5 08:34:40 UTC 2012 

On 01/05/12 13:23, Larry Brigman wrote:
> On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <ygao at suse.com
> <mailto:ygao at suse.com>> wrote:
> 
>     > [root at sweng0096 ~]# crm configure property enable-acl=true
>     > [root at sweng0096 ~]# crm
>     > crm(live)#
>     > role monitor \
>     >>         read xpath:"/cib"
>     > crm(live)configure#  user nvs role:monitor
>     > crm(live)configure# user acm role:monitor
>     > crm(live)configure# commit
>     > crm(live)configure# exit
>     > bye
>     > [root at sweng0096 ~]# su - nvs
>     > [nvs at sweng0096 ~]$ crm status
>     >
>     > Connection to cluster failed: connection failed
>     What about:
>     # id nvs
>     # ls -ld /var/run/crm
>     # ls -l /var/run/crm
> 
>  [root at myname run]# id nvs
> uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)
Any user who wants to access cib should belong to "haclient" group.
That's the prerequisite.

>  [root at myname ~]# cd /var/run/crm
> [root at myname crm]# ls
> attrd  cib_callback  cib_ro  cib_rw  crmd  pengine  st_callback  st_command
> [root at myname crm]# cd ..
> [root at myname run]# ls -ld crm
> drwxr-x--- 2 hacluster haclient 200 Jan  4 10:31 crm
> [root at myname run]# ls -l crm
> total 0
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 attrd
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_callback
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_ro
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_rw
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 crmd
> srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 pengine
> srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_callback
> srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_command
> 
> If I change the crm directory permissions from 750 to 755 then
> things work.  Should that be needed?
No. 750 is expected.

> 
> Looking at the spec file I find the following:
> %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm
> 
> Adding the user to the haclient group works but then the user has
> full write access which isn't what is wanted.
It seems that either the running cib is not built "--with-acl" or acl is
not enabled with "crm configure enable-acl=true". Either of them is not
satisfied, the regular user gets full access.

Regards,
  Gaoyan
-- 
Gao,Yan <ygao at suse.com>
Software Engineer
China Server Team, SUSE.

More information about the Pacemaker mailing list