On 01/05/12 13:23, Larry Brigman wrote: > On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <y...@suse.com > <mailto:y...@suse.com>> wrote: > > > [root@sweng0096 ~]# crm configure property enable-acl=true > > [root@sweng0096 ~]# crm > > crm(live)# > > role monitor \ > >> read xpath:"/cib" > > crm(live)configure# user nvs role:monitor > > crm(live)configure# user acm role:monitor > > crm(live)configure# commit > > crm(live)configure# exit > > bye > > [root@sweng0096 ~]# su - nvs > > [nvs@sweng0096 ~]$ crm status > > > > Connection to cluster failed: connection failed > What about: > # id nvs > # ls -ld /var/run/crm > # ls -l /var/run/crm > > [root@myname run]# id nvs > uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys) Any user who wants to access cib should belong to "haclient" group. That's the prerequisite.
> [root@myname ~]# cd /var/run/crm > [root@myname crm]# ls > attrd cib_callback cib_ro cib_rw crmd pengine st_callback st_command > [root@myname crm]# cd .. > [root@myname run]# ls -ld crm > drwxr-x--- 2 hacluster haclient 200 Jan 4 10:31 crm > [root@myname run]# ls -l crm > total 0 > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 attrd > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_callback > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_ro > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 cib_rw > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 crmd > srwxrwxrwx 1 hacluster root 0 Jan 4 10:31 pengine > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_callback > srwxrwxrwx 1 root root 0 Jan 4 10:31 st_command > > If I change the crm directory permissions from 750 to 755 then > things work. Should that be needed? No. 750 is expected. > > Looking at the spec file I find the following: > %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm > > Adding the user to the haclient group works but then the user has > full write access which isn't what is wanted. It seems that either the running cib is not built "--with-acl" or acl is not enabled with "crm configure enable-acl=true". Either of them is not satisfied, the regular user gets full access. Regards, Gaoyan -- Gao,Yan <y...@suse.com> Software Engineer China Server Team, SUSE. _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org