[ClusterLabs] Pacemaker detail log directory permissions
Ken Gaillot
kgaillot at redhat.com
Wed Apr 24 10:32:16 EDT 2019
On Wed, 2019-04-24 at 16:08 +0200, wferi at niif.hu wrote:
> Hi,
>
> Make install creates /var/log/pacemaker with mode 0770, owned by
> hacluster:haclient. However, if I create the directory as root:root
> instead, pacemaker.log appears as hacluster:haclient all the
> same. What
> breaks in this setup besides log rotation (which can be fixed by
> removing the su directive)? Why is it a good idea to let the
> haclient
> group write the logs?
Cluster administrators are added to the haclient group. It's a minor
use case, but the group write permission allows such users to run
commands that log to the detail log. An example would be running
"crm_resource --force-start" for a resource agent that writes debug
information to the log.
If ACLs are not in use, such users already have full read/write access
to the CIB, so being able to read and write the log is not an
additional concern.
With ACLs, I could see wanting to change the permissions, and that idea
has come up already. One approach might be to add a PCMK_log_mode
option that would default to 0660, and users could make it more strict
if desired.
--
Ken Gaillot <kgaillot at redhat.com>
More information about the Users
mailing list