crmsh not working when using ACL

[heinervdm]

I'm having multiple users with different access rights in my cluster. Therefore all my users are in the haclient group (RHEL 8) and I've definded several ACL entries in my cluster configuration.

When using crmsh I'm getting a PermissionError. Version 4.2.0 was working fine.

crm configure show Traceback (most recent call last): File "/usr/sbin/crm", line 31, in <module> log.setup_logging() File "/usr/lib/python3.6/site-packages/crmsh/log.py", line 445, in setup_logging shutil.chown(CRMSH_LOG_FILE, constants.HA_USER, constants.HA_GROUP) File "/usr/lib64/python3.6/shutil.py", line 1052, in chown os.chown(path, _user, _group) PermissionError: [Errno 1] Operation not permitted: '/var/log/crmsh/crmsh.log'

From the Backtrace, I assume that crmsh, wants to change the file owner after writing to the file. But without root permissions you are not allowed to change the owner to someone else. What should be done there is: chgrp instead of chown.

[liangxin1300]

Hi @heinervdm Could you please show me the reproduce steps?

Thanks!

[heinervdm]

Hi @liangxin1300, I've created a new Testinstallation with RockyLinux 8 (yum install --enablerepo=ha corosync pacemaker) and installed crmsh.

I have the following versions installed:

$corosync -v Corosync Cluster Engine, version '3.1.5' Copyright (c) 2006-2021 Red Hat, Inc.

Built-in features: dbus systemd xmlconf vqsim nozzle snmp pie relro bindnow Available crypto models: nss openssl Available compression models: zlib lz4 lz4hc lzo2 lzma bzip2

$pacemaker --version Pacemaker 2.1.2-4.el8 Written by Andrew Beekhof

$crm --version crm 4.4.0

I've created a testuser and added it to the haclient group: useradd -m -G haclient hatest

I'm having the following dummy crm configuration:

$crm configure show node 1: node1 node 2: node2 primitive ip IPaddr2 params ip=10.2.0.10 cidr_netmask=24 property cib-bootstrap-options: cluster-name=test stonith-enabled=false enable-acl=true no-quorum-policy=ignore role admin write cib acl_target hatest admin

When I then run crm configure show as hatest user I'm getting the following error:

[hatest@localhost]$ corm configure show Traceback (most recent call last): File "/usr/sbin/crm", line 31, in log.setup_logging() File "/usr/lib/python3.6/site-packages/crmsh/log.py", line 445, in setup_logging shutil.chown(CRMSH_LOG_FILE, constants.HA_USER, constants.HA_GROUP) File "/usr/lib64/python3.6/shutil.py", line 1052, in chown os.chown(path, _user, _group) PermissionError: [Errno 1] Operation not permitted: '/var/log/crmsh/crmsh.log'

[liangxin1300]

Hi @heinervdm

Please try to use #980, under root, run "crm", the mod of /var/log/crmsh/crmsh.log will changed as "664" Then switch to "hatest"

BTW, crmsh not support corosync 3 yet (maybe until crmsh version 5.x)

[heinervdm]

This is working.

But if the logfile does not exists (e.g. the node is reinstalled and gets the cluster config from another node) it will create the logfile with the wrong permissions. Perhaps one should do the following:

os.umask(0o002)
logging.config.dictConfig(LOGGING_CFG)
if os.path.exists(CRMSH_LOG_FILE):
    shutil.chown(CRMSH_LOG_FILE, os.getuid(), constants.HA_GROUP)

And perhaps use a class derived form RotatingFileHandler, which also honors the permissions, as mentioned in this stack overflow comment: https://stackoverflow.com/a/6779307

[liangxin1300]

This is working.

But if the logfile does not exists (e.g. the node is reinstalled and gets the cluster config from another node) it will create the logfile with the wrong permissions. Perhaps one should do the following:

os.umask(0o002)
logging.config.dictConfig(LOGGING_CFG)
if os.path.exists(CRMSH_LOG_FILE):
    shutil.chown(CRMSH_LOG_FILE, os.getuid(), constants.HA_GROUP)

And perhaps use a class derived form RotatingFileHandler, which also honors the permissions, as mentioned in this stack overflow comment: https://stackoverflow.com/a/6779307

Hi @heinervdm I think you are the right person to provide the PR:) Thanks!

[heinervdm]

I've created a PullRequest for this issue.