[Pacemaker] Can't issue 'crm configure' commands under privileged user

Dejan Muhamedagic dejanmm at fastmail.fm
Fri Sep 28 05:55:22 EDT 2012 

Hi,

On Fri, Sep 28, 2012 at 09:51:05AM +0100, Colin McCormack wrote:
> Hi Lars,
> 
> > "This doesn't "allow" the user to configure the cluster, but runs all
> commands from crm as this user (even if running as root). I'm not sure
> this is very well tested. "
> When i then run commands like crm configure under the root user it also
> hangs.

Hangs? Wasn't it in the first message that "cibadmin is not
available"? If it hangs, then you should check the process list
(pstree) to see what the shell is doing at the time and take a
look at the logs.

> > "I have the impression that the user colinlinux doesn't have
> /usr/sbin in its path."
> I do, see my original mail (but i understand you could have missed it as
> it was a large mail)

I missed it too :)

> Thanks for your reply and time taken.
> 
> I would be keen to verify that this behaviour is reasonable to assume
> <i>should</i> be in pacemaker.

This I can't parse.

> The equivilant is in Veritas cluster
> server where certain commands are issued from a 'normal' user and
> trusted to configure the cluster/node.

For this, if I understood correctly, you would like to take a
look at ACLs. That doesn't require configuring sudo, i.e. the crm
shell runs all the time as the real user and the cluster should
be instructed by a set of ACL rules about users' rights.

Thanks,

Dejan

> Thanks again
> 
> Col
> 
> 
> 
> 
> On 09/27/12 18:07, pacemaker-request at oss.clusterlabs.org wrote:
> >Message: 3
> >Date: Thu, 27 Sep 2012 16:40:15 +0200
> >From: Lars Marowsky-Bree<lmb at suse.com>
> >To: The Pacemaker cluster resource manager
> >         <pacemaker at oss.clusterlabs.org>
> >Subject: Re: [Pacemaker] Can't issue 'crm configure' commands under
> >         privileged user
> >Message-ID:<20120927144015.GO4345 at suse.de>
> >Content-Type: text/plain; charset=iso-8859-1
> >
> >On 2012-09-27T14:57:08, Colin McCormack<colin.mccormack at openet.com>  wrote:
> >
> >>>  I installed pacemaker/corosync as root (details below):
> >>>  Pacemaker version 1.0.12, release 1.el5.centos, x86_64
> >>>  Corosync version 1.2.7, release 1.1.el5, x86_64
> >You have the user in the haclient group, and thus it should be able to
> >control the cluster. Perhaps
> >
> >>>  Allow user with privileged access to configure the node:
> >>>  crm options user colinlinux
> >This doesn't "allow" the user to configure the cluster, but runs all
> >commands from crm as this user (even if running as root). I'm not sure
> >this is very well tested.
> >
> >>>  WITH SUDO:
> >>>  colinlinux# sudo crm configure primitive xclock ocf:tester:xclock op monitor interval=20 timeout=20 start-delay=30s params run_user=colinlinux meta failure-timeout="360" migration-threshold=5
> >>>  error given:
> >>>  # cibadmin not available, check your installation
> >I have the impression that the user colinlinux doesn't have /usr/sbin in
> >its path.
> >
> >If you want to restrict the commands that a non-root user can execute on
> >the cluster, check out the CIB and the shell's ACL support.
> >
> >
> >Regards,
> >     Lars
> >
> >--
> >Architect Storage/HA
> >SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend?rffer, HRB 21284 (AG N?rnberg)
> >"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
> 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation, retention or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify postmaster at openet.com. Although Openet has taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

More information about the Pacemaker mailing list