[Pacemaker] pacemaker monitoring user permision denied

Andrew Beekhof andrew at beekhof.net
Wed Jun 12 21:48:46 UTC 2013


On 12/06/2013, at 8:28 PM, Wolfgang Routschka <wolfgang.routschka at drumedar.de> wrote:

> Hi,
> 
> sorry for my mistake of course is hacluster the pacemaker user.
> 
> nagios user is in haclient group and have full access for crmshell without having any role/user configuration. my pacemaker version is pacemaker-1.1.10-1.1622.6ca9c6b.git.el6.x86_64
> 
> In my opinion the user doesn´t have any rights although the user is in haclient group and having no role/user configuration. Is it right?

No.  Users in the haclient group have full access.  Thats what it is for.

> 
> Greetings Wolfgang
> 
> Date: Mon, 10 Jun 2013 23:03:12 +0200
> From: Lars Marowsky-Bree <lmb at suse.com>
> To: The Pacemaker cluster resource manager
> 	<pacemaker at oss.clusterlabs.org>
> Subject: Re: [Pacemaker] pacemaker monitoring user permision denied
> Message-ID: <20130610210312.GO4768 at suse.de>
> Content-Type: text/plain; charset=iso-8859-1
> 
> On 2013-06-10T18:22:37, Wolfgang Routschka <wolfgang.routschka at drumedar.de> wrote:
> 
>> After reading Documentation (http://clusterlabs.org/doc/acls.html) I found "All user accounts must be in the haclient group." but all users in haclient group have full access "Note that the root and hacluster users will always have full access."
> 
> uid=hacluster != gid=haclient
> 
> 
> Regards,
>    Lars
> 
> --
> Architect Storage/HA
> SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend?rffer, HRB 21284 (AG N?rnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde
> 
> -----
> 
> Hi,
> 
> one more question about this topic.
> 
> I installed pacemaker-1.1.10-1.1622.6ca9c6b.git.el6.x86_64 for testing with acl.
> 
> user nagios is configured with crm-shell and role monitor
> 
> role monitor \
>        read cib
> user nagios \
>        role:monitor
> 
> After starting crmsh "Attempting connection to the cluster...Could not establish cib_ro connection:"
> 
> After reading Documentation (http://clusterlabs.org/doc/acls.html) I found "All user accounts must be in the haclient group." but all users in haclient group have full access "Note that the root and hacluster users will always have full access."
> 
> How can I configure my nagios user to only running crm_mon for reading cluster status.
> 
> Greeting Wolfgang
> 
>> On 23/04/2013, at 2:56 PM, Andreas Mock <Andreas.Mock at web.de<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>> wrote:
>> 
>> Hi Andrew,
>> 
>> is 1.1.10-rc1 a working title or can the package be found somewhere?
>> 
>> Its currently just a tag.
>> Grabbing the source tree and running "make TAG=Pacemaker-1.1.10-rc1 rpm" will give you packages.
>> 
>> 
>> I saw that on http://clusterlabs.org/rpm-next/rhel-6/x86_64/
>> there is a new 1.1.9 build.
>> Is this a new snapshop build (e.g. having memory leak corrections)?
>> 
>> No, its a rebuild that turns cman support back on.
>> 
>> 
>> Best regards
>> Andreas Mock
>> 
>> 
>> -----Ursprüngliche Nachricht-----
>> Von: Andrew Beekhof [mailto:andrew at beekhof.net<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>]
>> Gesendet: Dienstag, 23. April 2013 01:46
>> An: The Pacemaker cluster resource manager
>> Betreff: Re: [Pacemaker] pacemaker monitoring user permision denied
>> 
>> 
>> On 23/04/2013, at 1:45 AM, Wolfgang Routschka
>> <wolfgang.routschka at drumedar.de<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>> wrote:
>> 
>>> Hi everbody,
>>> 
>>> I want to monitor our pacemaker/cman cluster on scientific linux 6.4 RHEL
>> clone with nagios .
>>> 
>>> After reading documentation http://clusterlabs.org/doc/acls.html and
>>> configuration my nagios user isn´t able to start crm_mon
>>> 
>>> "Attempting connection to the cluster...Could not establish cib_ro
>> connection: Permission denied (13)"
>>> 
>>> User is in haclient group
>>> 
>>> [nagios at xx<http://oss.clusterlabs.org/mailman/listinfo/pacemaker> ~]$ id
>>> uid=510(nagios) gid=310(nagios) Gruppen=310(nagios),498(haclient)
>> 
>> This is a known issue that has been fixed in 1.1.10-rc1
>> 
>>> 
>>> I used Pacemaker 1.1.8-7.el6.x86_64
>>> 
>>> My CIB schema is configured for pacemaker-1.2
>>> 
>>> <cib epoch="259" num_updates="31" admin_epoch="0"
>> validate-with="pacemaker-1.2"
>>> 
>>> enable acl is configured
>>> 
>>> crm configure show
>>> 
>>> property $id="cib-bootstrap-options" \
>>>     dc-version="1.1.8-7.el6-394e906" \
>>>     cluster-infrastructure="cman" \
>>>       no-quorum-policy="ignore" \
>>>       stonith-enabled="false" \
>>>       enable-acl="true"
>>> 
>>> Greetings
>>> 
>>> _______________________________________________
>>> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>
>>> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>>> 
>>> Project Home: http://www.clusterlabs.org Getting started:
>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>> Bugs: http://bugs.clusterlabs.org
>> 
>> 
>> _______________________________________________
>> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>
>> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>> 
>> Project Home: http://www.clusterlabs.org Getting started:
>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>> 
>> 
>> _______________________________________________
>> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org<http://oss.clusterlabs.org/mailman/listinfo/pacemaker>
>> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>> 
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
> 
> 
> -------------- n?chster Teil --------------
> Ein Dateianhang mit HTML-Daten wurde abgetrennt...
> URL: <http://oss.clusterlabs.org/pipermail/pacemaker/attachments/20130610/154edaef/attachment.html>
> 
>    Previous message: [Pacemaker] What kind of cluster stack at opensuse-repositories
>    Next message: [Pacemaker] pacemaker monitoring user permision denied
>    Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> 
> More information about the Pacemaker mailing list
> 
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org





More information about the Pacemaker mailing list