On Thu, Jan 5, 2012 at 12:34 AM, Gao,Yan <y...@suse.com> wrote: > On 01/05/12 13:23, Larry Brigman wrote: > > On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <y...@suse.com > > <mailto:y...@suse.com>> wrote: > > > > > [root@sweng0096 ~]# crm configure property enable-acl=true > > > [root@sweng0096 ~]# crm > > > crm(live)# > > > role monitor \ > > >> read xpath:"/cib" > > > crm(live)configure# user nvs role:monitor > > > crm(live)configure# user acm role:monitor > > > crm(live)configure# commit > > > crm(live)configure# exit > > > bye > > > [root@sweng0096 ~]# su - nvs > > > [nvs@sweng0096 ~]$ crm status > > > > > > Connection to cluster failed: connection failed > > What about: > > # id nvs > > # ls -ld /var/run/crm > > # ls -l /var/run/crm > > > > [root@myname run]# id nvs > > uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys) > Any user who wants to access cib should belong to "haclient" group. > That's the prerequisite. > > > [root@myname ~]# cd /var/run/crm > > [root@myname crm]# ls > > attrd cib_callback cib_ro cib_rw crmd pengine st_callback > st_command > > [root@myname crm]# cd .. > > [root@myname run]# ls -ld crm > > drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm > > [root@myname run]# ls -l crm > > total 0 > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd > > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine > > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback > > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command > > > > If I change the crm directory permissions from 750 to 755 then > > things work. Should that be needed? > No. 750 is expected. > > > > > Looking at the spec file I find the following: > > %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm > > > > Adding the user to the haclient group works but then the user has > > full write access which isn't what is wanted. > It seems that either the running cib is not built "--with-acl" or acl is > not enabled with "crm configure enable-acl=true". Either of them is not > satisfied, the regular user gets full access. >
The last piece, last time was that the users were not in the haclient group. I now have all of that automated during our install but the users are still getting an error for access for a time after this is configured, then it starts working. We don't have any exiting changes going into the cib. The only thing that I did that might have caused this to start working but it wasn't a write: cibadmin --query After that command things seem to work for a role based user with read only access.
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
