[Pacemaker] ACL setup

Larry Brigman larry.brigman at gmail.com
Wed Jan 4 13:53:43 EST 2012 

On Mon, Dec 12, 2011 at 9:48 PM, Larry Brigman <larry.brigman at gmail.com>wrote:

> On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <andreas at hastexo.com> wrote:
>
>> On 12/12/2011 03:37 AM, Larry Brigman wrote:
>>
> ....
> [root at sweng0057 ~]# cibadmin -!
> Pacemaker 1.1.5-1.1.sme (Build:
> 01e86afaaa6d4a8c4836f68df80ababd6ca3902f):  docbook-manpages ncurses
> cs-quorum corosync
>
> Not enabled....
>
> That explains it.  The configure script doesn't enable acls by default so
> it's not built with
> them.
>
> I'll make another pass when I rebuild my rpm package.
>
> Testing new build still doesn't work when acl is enabled.

cibadmin -!
Pacemaker 1.1.5-1.2.sme (Build: 01e86afaaa6d4a8c4836f68df80ababd6ca3902f):
docbook-manpages ncurses cs-quorum corosync acl
[root at sweng0096 ~]# cibadmin --modify --xml-text '<cib
validate-with="pacemaker-1.1"/>'
[root at sweng0096 ~]# crm configure property enable-acl=true
[root at sweng0096 ~]# crm
crm(live)#
role monitor \
>         read xpath:"/cib"
crm(live)configure#  user nvs role:monitor
crm(live)configure# user acm role:monitor
crm(live)configure# commit
crm(live)configure# exit
bye
[root at sweng0096 ~]# su - nvs
[nvs at sweng0096 ~]$ crm status

Connection to cluster failed: connection failed


[root at sweng0096 ~]# cibadmin --query
output modified to only include relevent portions.
<cib epoch="16" num_updates="17" admin_epoch="0"
validate-with="pacemaker-1.1" crm_feature_set="3.0.5" have-quorum="0"
cib-last-written="Wed Jan  4 10:29:16 2012" dc-uuid="sweng0096.lab.c-cor.com
">
  <configuration>
    <crm_config>
      <cluster_property_set id="cib-bootstrap-options">
...
        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"
value="true"/>
      </cluster_property_set>
...
    <acls>
      <acl_role id="monitor">
        <read id="monitor-read" xpath="/cib"/>
      </acl_role>
      <acl_user id="nvs">
        <role_ref id="monitor"/>
      </acl_user>
      <acl_user id="acm">
        <role_ref id="monitor"/>
      </acl_user>
    </acls>
  </configuration>
...
</cib>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20120104/69afbaa5/attachment-0002.html>

More information about the Pacemaker mailing list