[Pacemaker] crmsh dosn't respect the acl read permissions

Gao,Yan ygao at suse.com
Mon Jul 8 21:40:17 EDT 2013 

Hi,
Was pacemaker built "--with-acl"? Is "acls" listed in the output of
"cibadmin -!"?

Regards,
  Gao,Yan

On 07/08/13 17:57, emmanuel segura wrote:
> Hi
> 
> I did
> 
> Thanks
> 
> 
> 2013/7/8 Dejan Muhamedagic <dejanmm at fastmail.fm
> <mailto:dejanmm at fastmail.fm>>
> 
>     Hi,
> 
>     On Mon, Jul 08, 2013 at 12:52:07AM +0200, emmanuel segura wrote:
>     > Hello List
>     >
>     > Maybe this is wrong the wrong list, but now i'm playing with pacemaker
>     > 1.10  and a i see the crmsh dosn't respeact the read permissions
>     like i
>     > show below
>     >
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     > [root at nod01 ~]# id watch
>     > uid=505(watch) gid=100(users) groups=100(users),989(haclient)
>     >
>     > [root at nod01 ~]# crm configure show | grep dc
>     >     dc-version="1.1.10-1.fc18-e04c603" \
>     >     dc-deadtime="30"
>     >
>     > [root at nod01 ~]# su - watch
>     > [watch at nod01 ~]$ crm configure property dc-deadtime="60"
>     > [watch at nod01 ~]$ crm configure show | grep dc
>     >     dc-version="1.1.10-1.fc18-e04c603" \
>     >     dc-deadtime="60"
> 
>     > My acl
>     >
>     > role monitor \
>     >     read cib
>     > user watch \
>     >     role:monitor
>     >
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
>     Did you also set:
> 
>     crm configure property enable-acl=true
> 
>     BTW, it is not crmsh but cib (the process) which evaluates the
>     ACL.
> 
>     Thanks,
> 
>     Dejan
> 
>     >
>     >
>     > Thanks
>     >
>     >
>     > --
>     > esta es mi vida e me la vivo hasta que dios quiera
> 
>     > _______________________________________________
>     > Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
>     <mailto:Pacemaker at oss.clusterlabs.org>
>     > http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>     >
>     > Project Home: http://www.clusterlabs.org
>     > Getting started:
>     http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>     > Bugs: http://bugs.clusterlabs.org
> 
> 
>     _______________________________________________
>     Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
>     <mailto:Pacemaker at oss.clusterlabs.org>
>     http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
>     Project Home: http://www.clusterlabs.org
>     Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>     Bugs: http://bugs.clusterlabs.org
> 
> 
> 
> 
> -- 
> esta es mi vida e me la vivo hasta que dios quiera
> 
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
> 

-- 
Gao,Yan <ygao at suse.com>
Software Engineer
China Server Team, SUSE.

More information about the Pacemaker mailing list