[Pacemaker] ACL setup

Andreas Kurz andreas at hastexo.com
Tue Dec 13 00:38:38 UTC 2011


On 12/12/2011 03:37 AM, Larry Brigman wrote:
> 
> 
> On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <tserong at suse.com
> <mailto:tserong at suse.com>> wrote:
> 
>     On 12/10/2011 10:35 AM, Larry Brigman wrote:
> 
>         On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz
>         <andreas at hastexo.com <mailto:andreas at hastexo.com>
>         <mailto:andreas at hastexo.com <mailto:andreas at hastexo.com>>> wrote:
> 
>            Hello Larry,
> 
>            On 12/09/2011 11:15 PM, Larry Brigman wrote:
>             > I have installed pacemaker 1.1.5 and configure ACLs based
>         on the
>            info from
>             > http://www.clusterlabs.org/__doc/acls.html
>         <http://www.clusterlabs.org/doc/acls.html>
>             >
>             > It looks like the user still does not have read access.
>             >
>             > Here is the acl section of config
>             > <acls>
>             > <acl_role id="monitor">
>             > <read id="monitor-read" xpath="/cib"/>
>             > </acl_role>
>             > <acl_user id="nvs">
>             > <role_ref id="monitor"/>
>             > </acl_user>
>             > <acl_user id="acm">
>             > <role_ref id="monitor"/>
>             > </acl_user>
>             > </acls>
>             >
>             > Here is what the user is getting:
>             > [nvs at sweng0057 ~]$ crm node show
>             > Signon to CIB failed: connection failed
>             > Init failed, could not perform requested operations
>             > ERROR: cannot parse xml: no element found: line 1, column 0
>             > [nvs at sweng0057 ~]$ crm status
>             >
>             > Connection to cluster failed: connection failed
>             >
>             >
>             > Any ideas as to why this wouldn't work and what to fix?
> 
>            If you really followed exactly the guide ... did you check
>         user nvs
>            already is in group "haclient"?
> 
>         Thought of that.
> 
>         Adding the user to the haclient group removes any restrictions
>         as I was
>         able to
>         write to the config without error.
> 
> 
>     Did you set "crm configure property enable-acl=true"?  Without this,
>     all users in the haclient group have full access.
> 
> 
> That was the second setting I added or changed.  The first was the
> schema to pacemaker-1.1.
> Exactly like the acl page.  I verified that both the schema and acl were
> configured in with a dump of the xml.

Your pacemaker build has acls enabled? ... "cibadmin -!" or "crm_report
--features" should list the builtin features.

Regards,
Andreas

-- 
Need help with Pacemaker?
http://www.hastexo.com/now

> 
> 
> 
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 286 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20111213/28bbd047/attachment-0004.sig>


More information about the Pacemaker mailing list