[Pacemaker] Accessing CIB by user not 'root' and not 'hacluster'

Jacek Konieczny jajcus at jajcus.net
Fri Jan 25 04:39:41 EST 2013 

Hi,

It used to be possible to access the Pacemaker's CIB from any user in
the 'haclient' group, but after one of the upgrades it stopped working
(I didn't care about this issue match then, so I cannot recall the exact
point). Now I would like to restore the cluster state overview
functionality in the UI of my system, so I would like to fix it.

Currently I use Pacemaker 1.1.8 and Corosync 2.2.0. The problem is:

$ id
uid=993(sipgwui) gid=993(sipgwui) groups=993(sipgwui),60(haclient),109(lighttpd)
$ cibadmin -Q
Could not establish cib_rw connection: Permission denied (13)
Signon to CIB failed: Transport endpoint is not connected
Init failed, could not perform requested operations

Strace shows this fails on:

open("/dev/shm/qb-cib_rw-control-12542-19960-19", O_RDWR) = -1 EACCES (Permission denied)

and:

$ ls -l /dev/shm/qb-cib_rw-control-12542-19960-19
-rw------- 1 hacluster root 24 Jan 25 10:31 /dev/shm/qb-cib_rw-control-12542-19960-19

I have googled around and found that a qb_ipcs_connection_auth_set() function
could be used to set the permissions right on the SHM file. I found the
right call in the Pacemaker sources (cib/callbacks.c), enclosed in the
'#if ENABLE_ACL' clause. My build was not compiled with the ACL support,
so I have re-built it with ACL on.

Now the behaviour is the same, with one exception:

$ ls -l /dev/shm/qb-cib_rw-control-1488-5008-17
-rw-rw---- 1 hacluster root 24 Jan 25 10:19 /dev/shm/qb-cib_rw-control-1488-5008-17

The file is now group-accessible, but the group is still 'root' and not
'haclient', although  confdefs.h contained:

	#define CRM_DAEMON_GROUP "haclient"'

The docs at http://clusterlabs.org/doc/acls.html state:

> The various tools for administering Pacemaker clusters (crm_mon, crm
> shell, cibadmin and friends, Python GUI, Hawk) can be used by the root
> user, or any user in the haclient group. By default, these users have
> full read/write access. 

This clearly is not the case.

Any ideas?

Greets,
	Jacek

More information about the Pacemaker mailing list