[Pacemaker] Accessing CIB by user not 'root' and not 'hacluster'

Andrew Beekhof andrew at beekhof.net
Thu Jan 31 21:44:09 EST 2013 

On Fri, Jan 25, 2013 at 8:39 PM, Jacek Konieczny <jajcus at jajcus.net> wrote:
> Hi,
>
> It used to be possible to access the Pacemaker's CIB from any user in
> the 'haclient' group, but after one of the upgrades it stopped working
> (I didn't care about this issue match then, so I cannot recall the exact
> point). Now I would like to restore the cluster state overview
> functionality in the UI of my system, so I would like to fix it.
>
> Currently I use Pacemaker 1.1.8 and Corosync 2.2.0.

I'm pretty sure the limiting factor here is the libqb version (this is
the piece that provides IPC).
What version of that do you have?

> The problem is:
>
> $ id
> uid=993(sipgwui) gid=993(sipgwui) groups=993(sipgwui),60(haclient),109(lighttpd)
> $ cibadmin -Q
> Could not establish cib_rw connection: Permission denied (13)
> Signon to CIB failed: Transport endpoint is not connected
> Init failed, could not perform requested operations
>
> Strace shows this fails on:
>
> open("/dev/shm/qb-cib_rw-control-12542-19960-19", O_RDWR) = -1 EACCES (Permission denied)
>
> and:
>
> $ ls -l /dev/shm/qb-cib_rw-control-12542-19960-19
> -rw------- 1 hacluster root 24 Jan 25 10:31 /dev/shm/qb-cib_rw-control-12542-19960-19
>
> I have googled around and found that a qb_ipcs_connection_auth_set() function
> could be used to set the permissions right on the SHM file. I found the
> right call in the Pacemaker sources (cib/callbacks.c), enclosed in the
> '#if ENABLE_ACL' clause. My build was not compiled with the ACL support,
> so I have re-built it with ACL on.
>
> Now the behaviour is the same, with one exception:
>
> $ ls -l /dev/shm/qb-cib_rw-control-1488-5008-17
> -rw-rw---- 1 hacluster root 24 Jan 25 10:19 /dev/shm/qb-cib_rw-control-1488-5008-17
>
> The file is now group-accessible, but the group is still 'root' and not
> 'haclient', although  confdefs.h contained:
>
>         #define CRM_DAEMON_GROUP "haclient"'
>
> The docs at http://clusterlabs.org/doc/acls.html state:
>
>> The various tools for administering Pacemaker clusters (crm_mon, crm
>> shell, cibadmin and friends, Python GUI, Hawk) can be used by the root
>> user, or any user in the haclient group. By default, these users have
>> full read/write access.
>
> This clearly is not the case.
>
> Any ideas?
>
> Greets,
>         Jacek
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

More information about the Pacemaker mailing list