[ClusterLabs] Cluster administration from non-root users

Auer, Jens jens.auer at cgi.com
Mon Jun 13 11:57:16 UTC 2016 

Hi,

I am trying to give admin rights to my clusters to non-root users. I have two users which need to be able to control the cluster. Both are members of the haclient group, and I have created acl roles granting write-access. I can query the cluster status, but I am unable to perform any commands:
id
uid=1000(mdaf) gid=1000(mdaf) groups=1000(mdaf),10(wheel),189(haclient),801(mdaf),802(mdafkey),803(mdafmaintain)

pcs acl
ACLs are enabled

User: mdaf
  Roles: admin
User: mdafmaintain
  Roles: admin
Role: admin
  Permission: write xpath /cib (admin-write)

pcs cluster status
Cluster Status:
 Last updated: Mon Jun 13 11:46:45 2016        Last change: Mon Jun 13 11:46:38 2016 by root via cibadmin on MDA2PFP-S02
 Stack: corosync
 Current DC: MDA2PFP-S01 (version 1.1.13-10.el7-44eb2dd) - partition with quorum
 2 nodes and 9 resources configured
 Online: [ MDA2PFP-S01 MDA2PFP-S02 ]

PCSD Status:
  MDA2PFP-S01: Online
  MDA2PFP-S02: Online

pcs cluster stop
Error: localhost: Permission denied - (HTTP error: 403)

pcs cluster start
Error: localhost: Permission denied - (HTTP error: 403)

I tried to use sudo instead, but this also not working:
sudo pcs status
Permission denied
Error: unable to locate command: /usr/sbin/crm_mon

Any help would be greatly appreciated.

Best wishes,
  Jens

--
Jens Auer | CGI | Software-Engineer
CGI (Germany) GmbH & Co. KG
Rheinstraße 95 | 64295 Darmstadt | Germany
T: +49 6151 36860 154
jens.auer at cgi.com<mailto:jens.auer at cgi.com>
Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie unter de.cgi.com/pflichtangaben<http://de.cgi.com/pflichtangaben>.

CONFIDENTIALITY NOTICE: Proprietary/Confidential information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20160613/b6e066c2/attachment-0003.html>

More information about the Users mailing list