[Pacemaker] ACL setup

Larry Brigman larry.brigman at gmail.com
Tue Dec 13 00:48:29 EST 2011 

On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <andreas at hastexo.com> wrote:

> On 12/12/2011 03:37 AM, Larry Brigman wrote:
> >
> >
> > On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <tserong at suse.com
> > <mailto:tserong at suse.com>> wrote:
> >
> >     On 12/10/2011 10:35 AM, Larry Brigman wrote:
> >
> >         On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz
> >         <andreas at hastexo.com <mailto:andreas at hastexo.com>
> >         <mailto:andreas at hastexo.com <mailto:andreas at hastexo.com>>>
> wrote:
> >
> >            Hello Larry,
> >
> >            On 12/09/2011 11:15 PM, Larry Brigman wrote:
> >             > I have installed pacemaker 1.1.5 and configure ACLs based
> >         on the
> >            info from
> >             > http://www.clusterlabs.org/__doc/acls.html
> >         <http://www.clusterlabs.org/doc/acls.html>
> >             >
> >             > It looks like the user still does not have read access.
> >             >
> >             > Here is the acl section of config
> >             > <acls>
> >             > <acl_role id="monitor">
> >             > <read id="monitor-read" xpath="/cib"/>
> >             > </acl_role>
> >             > <acl_user id="nvs">
> >             > <role_ref id="monitor"/>
> >             > </acl_user>
> >             > <acl_user id="acm">
> >             > <role_ref id="monitor"/>
> >             > </acl_user>
> >             > </acls>
> >             >
> >             > Here is what the user is getting:
> >             > [nvs at sweng0057 ~]$ crm node show
> >             > Signon to CIB failed: connection failed
> >             > Init failed, could not perform requested operations
> >             > ERROR: cannot parse xml: no element found: line 1, column 0
> >             > [nvs at sweng0057 ~]$ crm status
> >             >
> >             > Connection to cluster failed: connection failed
> >             >
> >             >
> >             > Any ideas as to why this wouldn't work and what to fix?
> >
> >            If you really followed exactly the guide ... did you check
> >         user nvs
> >            already is in group "haclient"?
> >
> >         Thought of that.
> >
> >         Adding the user to the haclient group removes any restrictions
> >         as I was
> >         able to
> >         write to the config without error.
> >
> >
> >     Did you set "crm configure property enable-acl=true"?  Without this,
> >     all users in the haclient group have full access.
> >
> >
> > That was the second setting I added or changed.  The first was the
> > schema to pacemaker-1.1.
> > Exactly like the acl page.  I verified that both the schema and acl were
> > configured in with a dump of the xml.
>
> Your pacemaker build has acls enabled? ... "cibadmin -!" or "crm_report
> --features" should list the builtin features.
>
>
[root at sweng0057 ~]# cibadmin -!
Pacemaker 1.1.5-1.1.sme (Build: 01e86afaaa6d4a8c4836f68df80ababd6ca3902f):
docbook-manpages ncurses cs-quorum corosync

Not enabled....

That explains it.  The configure script doesn't enable acls by default so
it's not built with
them.

I'll make another pass when I rebuild my rpm package.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20111212/00581bed/attachment-0003.html>

More information about the Pacemaker mailing list