On Mon, Dec 12, 2011 at 4:38 PM, Andreas Kurz <andr...@hastexo.com> wrote:
> On 12/12/2011 03:37 AM, Larry Brigman wrote: > > > > > > On Sun, Dec 11, 2011 at 5:01 PM, Tim Serong <tser...@suse.com > > <mailto:tser...@suse.com>> wrote: > > > > On 12/10/2011 10:35 AM, Larry Brigman wrote: > > > > On Fri, Dec 9, 2011 at 3:19 PM, Andreas Kurz > > <andr...@hastexo.com <mailto:andr...@hastexo.com> > > <mailto:andr...@hastexo.com <mailto:andr...@hastexo.com>>> > wrote: > > > > Hello Larry, > > > > On 12/09/2011 11:15 PM, Larry Brigman wrote: > > > I have installed pacemaker 1.1.5 and configure ACLs based > > on the > > info from > > > http://www.clusterlabs.org/__doc/acls.html > > <http://www.clusterlabs.org/doc/acls.html> > > > > > > It looks like the user still does not have read access. > > > > > > Here is the acl section of config > > > <acls> > > > <acl_role id="monitor"> > > > <read id="monitor-read" xpath="/cib"/> > > > </acl_role> > > > <acl_user id="nvs"> > > > <role_ref id="monitor"/> > > > </acl_user> > > > <acl_user id="acm"> > > > <role_ref id="monitor"/> > > > </acl_user> > > > </acls> > > > > > > Here is what the user is getting: > > > [nvs@sweng0057 ~]$ crm node show > > > Signon to CIB failed: connection failed > > > Init failed, could not perform requested operations > > > ERROR: cannot parse xml: no element found: line 1, column 0 > > > [nvs@sweng0057 ~]$ crm status > > > > > > Connection to cluster failed: connection failed > > > > > > > > > Any ideas as to why this wouldn't work and what to fix? > > > > If you really followed exactly the guide ... did you check > > user nvs > > already is in group "haclient"? > > > > Thought of that. > > > > Adding the user to the haclient group removes any restrictions > > as I was > > able to > > write to the config without error. > > > > > > Did you set "crm configure property enable-acl=true"? Without this, > > all users in the haclient group have full access. > > > > > > That was the second setting I added or changed. The first was the > > schema to pacemaker-1.1. > > Exactly like the acl page. I verified that both the schema and acl were > > configured in with a dump of the xml. > > Your pacemaker build has acls enabled? ... "cibadmin -!" or "crm_report > --features" should list the builtin features. > > [root@sweng0057 ~]# cibadmin -! Pacemaker 1.1.5-1.1.sme (Build: 01e86afaaa6d4a8c4836f68df80ababd6ca3902f): docbook-manpages ncurses cs-quorum corosync Not enabled.... That explains it. The configure script doesn't enable acls by default so it's not built with them. I'll make another pass when I rebuild my rpm package.
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
