[Pacemaker] ACL setup
Larry Brigman
larry.brigman at gmail.com
Fri Dec 9 18:35:53 EST 2011
On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz <andreas at hastexo.com> wrote:
> Hello Larry,
>
> On 12/09/2011 11:15 PM, Larry Brigman wrote:
> > I have installed pacemaker 1.1.5 and configure ACLs based on the info
> from
> > http://www.clusterlabs.org/doc/acls.html
> >
> > It looks like the user still does not have read access.
> >
> > Here is the acl section of config
> > <acls>
> > <acl_role id="monitor">
> > <read id="monitor-read" xpath="/cib"/>
> > </acl_role>
> > <acl_user id="nvs">
> > <role_ref id="monitor"/>
> > </acl_user>
> > <acl_user id="acm">
> > <role_ref id="monitor"/>
> > </acl_user>
> > </acls>
> >
> > Here is what the user is getting:
> > [nvs at sweng0057 ~]$ crm node show
> > Signon to CIB failed: connection failed
> > Init failed, could not perform requested operations
> > ERROR: cannot parse xml: no element found: line 1, column 0
> > [nvs at sweng0057 ~]$ crm status
> >
> > Connection to cluster failed: connection failed
> >
> >
> > Any ideas as to why this wouldn't work and what to fix?
>
> If you really followed exactly the guide ... did you check user nvs
> already is in group "haclient"?
>
Thought of that.
Adding the user to the haclient group removes any restrictions as I was
able to
write to the config without error.
>
> You may only need to "reload" group membership for nvs by doing a
> logout/login or a "su - nvs".
>
>
Also did a logout/login and rerun the commands. With the info as written,
it doesn't work
for me. At the suggestion from one of my developers I changed the role
from monitor
to view. This forced me to remove the user as I could not add a new role
to the same
user. No success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20111209/f45d9a41/attachment-0003.html>
More information about the Pacemaker
mailing list