[Pacemaker] Can't issue 'crm configure' commands under privileged user
Colin McCormack
colin.mccormack at openet.com
Fri Sep 28 08:51:05 UTC 2012
Hi Lars,
> "This doesn't "allow" the user to configure the cluster, but runs all
commands from crm as this user (even if running as root). I'm not sure
this is very well tested. "
When i then run commands like crm configure under the root user it also
hangs.
> "I have the impression that the user colinlinux doesn't have
/usr/sbin in its path."
I do, see my original mail (but i understand you could have missed it as
it was a large mail)
Thanks for your reply and time taken.
I would be keen to verify that this behaviour is reasonable to assume
<i>should</i> be in pacemaker. The equivilant is in Veritas cluster
server where certain commands are issued from a 'normal' user and
trusted to configure the cluster/node.
Thanks again
Col
On 09/27/12 18:07, pacemaker-request at oss.clusterlabs.org wrote:
> Message: 3
> Date: Thu, 27 Sep 2012 16:40:15 +0200
> From: Lars Marowsky-Bree<lmb at suse.com>
> To: The Pacemaker cluster resource manager
> <pacemaker at oss.clusterlabs.org>
> Subject: Re: [Pacemaker] Can't issue 'crm configure' commands under
> privileged user
> Message-ID:<20120927144015.GO4345 at suse.de>
> Content-Type: text/plain; charset=iso-8859-1
>
> On 2012-09-27T14:57:08, Colin McCormack<colin.mccormack at openet.com> wrote:
>
>> > I installed pacemaker/corosync as root (details below):
>> > Pacemaker version 1.0.12, release 1.el5.centos, x86_64
>> > Corosync version 1.2.7, release 1.1.el5, x86_64
> You have the user in the haclient group, and thus it should be able to
> control the cluster. Perhaps
>
>> > Allow user with privileged access to configure the node:
>> > crm options user colinlinux
> This doesn't "allow" the user to configure the cluster, but runs all
> commands from crm as this user (even if running as root). I'm not sure
> this is very well tested.
>
>> > WITH SUDO:
>> > colinlinux# sudo crm configure primitive xclock ocf:tester:xclock op monitor interval=20 timeout=20 start-delay=30s params run_user=colinlinux meta failure-timeout="360" migration-threshold=5
>> > error given:
>> > # cibadmin not available, check your installation
> I have the impression that the user colinlinux doesn't have /usr/sbin in
> its path.
>
> If you want to restrict the commands that a non-root user can execute on
> the cluster, check out the CIB and the shell's ACL support.
>
>
> Regards,
> Lars
>
> --
> Architect Storage/HA
> SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend?rffer, HRB 21284 (AG N?rnberg)
> "Experience is the name everyone gives to their mistakes." -- Oscar Wilde
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation, retention or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify postmaster at openet.com. Although Openet has taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
More information about the Pacemaker
mailing list