[Pacemaker] ACL setup

Larry Brigman larry.brigman at gmail.com
Thu Jan 5 00:23:37 EST 2012 

On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <ygao at suse.com> wrote:

> Hi Larry,
>
> On 01/05/12 02:53, Larry Brigman wrote:
> > On Mon, Dec 12, 2011 at 9:48 PM, Larry Brigman <larry.brigman at gmail.com
> > <mailto:larry.brigman at gmail.com>> wrote:
> >
> >     On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <andreas at hastexo.com
> >     <mailto:andreas at hastexo.com>> wrote:
> >
> >         On 12/12/2011 03:37 AM, Larry Brigman wrote:
> >
> >     ....
> >     [root at sweng0057 ~]# cibadmin -!
> >     Pacemaker 1.1.5-1.1.sme (Build:
> >     01e86afaaa6d4a8c4836f68df80ababd6ca3902f):  docbook-manpages ncurses
> >     cs-quorum corosync
> >
> >     Not enabled....
> >
> >     That explains it.  The configure script doesn't enable acls by
> >     default so it's not built with
> >     them.
> >
> >     I'll make another pass when I rebuild my rpm package.
> >
> > Testing new build still doesn't work when acl is enabled.
> >
> > cibadmin -!
> > Pacemaker 1.1.5-1.2.sme (Build:
> > 01e86afaaa6d4a8c4836f68df80ababd6ca3902f):  docbook-manpages ncurses
> > cs-quorum corosync acl
> > [root at sweng0096 ~]# cibadmin --modify --xml-text '<cib
> > validate-with="pacemaker-1.1"/>'
> This is not required any more. "pacemaker-1.2" schema support ACL too.
>
> > [root at sweng0096 ~]# crm configure property enable-acl=true
> > [root at sweng0096 ~]# crm
> > crm(live)#
> > role monitor \
> >>         read xpath:"/cib"
> > crm(live)configure#  user nvs role:monitor
> > crm(live)configure# user acm role:monitor
> > crm(live)configure# commit
> > crm(live)configure# exit
> > bye
> > [root at sweng0096 ~]# su - nvs
> > [nvs at sweng0096 ~]$ crm status
> >
> > Connection to cluster failed: connection failed
> What about:
> # id nvs
> # ls -ld /var/run/crm
> # ls -l /var/run/crm
>
>  [root at myname run]# id nvs
uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)
 [root at myname ~]# cd /var/run/crm
[root at myname crm]# ls
attrd  cib_callback  cib_ro  cib_rw  crmd  pengine  st_callback  st_command
[root at myname crm]# cd ..
[root at myname run]# ls -ld crm
drwxr-x--- 2 hacluster haclient 200 Jan  4 10:31 crm
[root at myname run]# ls -l crm
total 0
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 attrd
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_callback
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_ro
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_rw
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 crmd
srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 pengine
srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_callback
srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_command

If I change the crm directory permissions from 750 to 755 then
things work.  Should that be needed?

Looking at the spec file I find the following:
%dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm

Adding the user to the haclient group works but then the user has
full write access which isn't what is wanted.

>
> >
> > [root at sweng0096 ~]# cibadmin --query
> > output modified to only include relevent portions.
> > <cib epoch="16" num_updates="17" admin_epoch="0"
> > validate-with="pacemaker-1.1" crm_feature_set="3.0.5" have-quorum="0"
> > cib-last-written="Wed Jan  4 10:29:16 2012"
> > dc-uuid="sweng0096.lab.c-cor.com <http://sweng0096.lab.c-cor.com>">
> >   <configuration>
> >     <crm_config>
> >       <cluster_property_set id="cib-bootstrap-options">
> > ...
> >         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"
> > value="true"/>
> >       </cluster_property_set>
> > ...
> >     <acls>
> >       <acl_role id="monitor">
> >         <read id="monitor-read" xpath="/cib"/>
> >       </acl_role>
> >       <acl_user id="nvs">
> >         <role_ref id="monitor"/>
> >       </acl_user>
> >       <acl_user id="acm">
> >         <role_ref id="monitor"/>
> >       </acl_user>
> >     </acls>
> >   </configuration>
> > ...
> > </cib>
> >
> --
> Gao,Yan <ygao at suse.com>
> Software Engineer
> China Server Team, SUSE.
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20120104/c799408c/attachment-0003.html>

More information about the Pacemaker mailing list