[Pacemaker] ACL setup

Tim Serong tserong at suse.com
Mon Dec 12 01:01:20 UTC 2011


On 12/10/2011 10:35 AM, Larry Brigman wrote:
> On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz <andreas at hastexo.com
> <mailto:andreas at hastexo.com>> wrote:
>
>     Hello Larry,
>
>     On 12/09/2011 11:15 PM, Larry Brigman wrote:
>      > I have installed pacemaker 1.1.5 and configure ACLs based on the
>     info from
>      > http://www.clusterlabs.org/doc/acls.html
>      >
>      > It looks like the user still does not have read access.
>      >
>      > Here is the acl section of config
>      > <acls>
>      > <acl_role id="monitor">
>      > <read id="monitor-read" xpath="/cib"/>
>      > </acl_role>
>      > <acl_user id="nvs">
>      > <role_ref id="monitor"/>
>      > </acl_user>
>      > <acl_user id="acm">
>      > <role_ref id="monitor"/>
>      > </acl_user>
>      > </acls>
>      >
>      > Here is what the user is getting:
>      > [nvs at sweng0057 ~]$ crm node show
>      > Signon to CIB failed: connection failed
>      > Init failed, could not perform requested operations
>      > ERROR: cannot parse xml: no element found: line 1, column 0
>      > [nvs at sweng0057 ~]$ crm status
>      >
>      > Connection to cluster failed: connection failed
>      >
>      >
>      > Any ideas as to why this wouldn't work and what to fix?
>
>     If you really followed exactly the guide ... did you check user nvs
>     already is in group "haclient"?
>
> Thought of that.
>
> Adding the user to the haclient group removes any restrictions as I was
> able to
> write to the config without error.

Did you set "crm configure property enable-acl=true"?  Without this, all 
users in the haclient group have full access.

Regards,

Tim
-- 
Tim Serong
Senior Clustering Engineer
SUSE
tserong at suse.com




More information about the Pacemaker mailing list