[Pacemaker] ACL setup

Gao,Yan ygao at suse.com
Wed Jan 4 23:50:08 EST 2012 

Hi Larry,

On 01/05/12 02:53, Larry Brigman wrote:
> On Mon, Dec 12, 2011 at 9:48 PM, Larry Brigman <larry.brigman at gmail.com
> <mailto:larry.brigman at gmail.com>> wrote:
> 
>     On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <andreas at hastexo.com
>     <mailto:andreas at hastexo.com>> wrote:
> 
>         On 12/12/2011 03:37 AM, Larry Brigman wrote:
> 
>     ....
>     [root at sweng0057 ~]# cibadmin -!
>     Pacemaker 1.1.5-1.1.sme (Build:
>     01e86afaaa6d4a8c4836f68df80ababd6ca3902f):  docbook-manpages ncurses
>     cs-quorum corosync
> 
>     Not enabled....
> 
>     That explains it.  The configure script doesn't enable acls by
>     default so it's not built with
>     them.
> 
>     I'll make another pass when I rebuild my rpm package.
> 
> Testing new build still doesn't work when acl is enabled.
> 
> cibadmin -!
> Pacemaker 1.1.5-1.2.sme (Build:
> 01e86afaaa6d4a8c4836f68df80ababd6ca3902f):  docbook-manpages ncurses
> cs-quorum corosync acl
> [root at sweng0096 ~]# cibadmin --modify --xml-text '<cib
> validate-with="pacemaker-1.1"/>'
This is not required any more. "pacemaker-1.2" schema support ACL too.

> [root at sweng0096 ~]# crm configure property enable-acl=true
> [root at sweng0096 ~]# crm
> crm(live)#
> role monitor \
>>         read xpath:"/cib"
> crm(live)configure#  user nvs role:monitor
> crm(live)configure# user acm role:monitor
> crm(live)configure# commit
> crm(live)configure# exit
> bye
> [root at sweng0096 ~]# su - nvs
> [nvs at sweng0096 ~]$ crm status
> 
> Connection to cluster failed: connection failed
What about:
# id nvs
# ls -ld /var/run/crm
# ls -l /var/run/crm

> 
> 
> [root at sweng0096 ~]# cibadmin --query
> output modified to only include relevent portions.
> <cib epoch="16" num_updates="17" admin_epoch="0"
> validate-with="pacemaker-1.1" crm_feature_set="3.0.5" have-quorum="0"
> cib-last-written="Wed Jan  4 10:29:16 2012"
> dc-uuid="sweng0096.lab.c-cor.com <http://sweng0096.lab.c-cor.com>">
>   <configuration>
>     <crm_config>
>       <cluster_property_set id="cib-bootstrap-options">
> ...
>         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"
> value="true"/>
>       </cluster_property_set>
> ...
>     <acls>
>       <acl_role id="monitor">
>         <read id="monitor-read" xpath="/cib"/>
>       </acl_role>
>       <acl_user id="nvs">
>         <role_ref id="monitor"/>
>       </acl_user>
>       <acl_user id="acm">
>         <role_ref id="monitor"/>
>       </acl_user>
>     </acls>
>   </configuration>
> ...
> </cib>
> 
-- 
Gao,Yan <ygao at suse.com>
Software Engineer
China Server Team, SUSE.

More information about the Pacemaker mailing list