[ClusterLabs] FYI: Alert script permissions
Ken Gaillot
kgaillot at redhat.com
Wed Jun 1 10:25:32 EDT 2016
For anyone playing with the new alerts feature, there is one difference
from the old ClusterMon external scripts to be aware of.
Resource agents such as ClusterMon run as root, so ClusterMon's external
scripts also run as root.
The new alert scripts are run as the hacluster user. So if you are using
a ClusterMon script with the new alerts feature, be aware of permissions
issues. If an alert script needs elevated privileges, it is recommended
to use sudo. If you use SELinux, you may need to grant the hacluster
user access to files/devices/whatever needed by your script, as well as
the ability to execute the script itself.
The new approach has obvious security benefits but may be less
convenient in some cases. If there is a need, we may add the ability to
configure an alert script's run-as user in a future version.
--
Ken Gaillot <kgaillot at redhat.com>
More information about the Users
mailing list