Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise High Availability – Dokumentation / Administration Guide / Appendix / Running cluster reports without root access
Applies to SUSE Linux Enterprise High Availability 15 SP6

D Running cluster reports without root access

All cluster nodes must be able to access each other via SSH. Tools like crm report (for troubleshooting) and Hawk2's History Explorer require passwordless SSH access between the nodes, otherwise they can only collect data from the current node.

If your security policy does not allow passwordless root SSH login, then running crm report as root fails on all remote nodes. In this case, you can still run cluster reports with one of the following options:

  • If the cluster was initialized by a non-root user with sudo privileges, this user can run cluster reports.

  • If the cluster was initialized by the root user, you can create a dedicated non-root user to run cluster reports.

The following procedure describes how to give a non-root user limited privileges so that it can use sudo to run crm report, but otherwise has no sudo access.

D.1 Configuring limited sudo privileges for a non-root user

The sudo command allows a regular user to quickly become root and issue a command, with or without providing a password. Sudo access can be given to all root-level commands or to specific commands only. This procedure describes how to configure sudo privileges only for the specific commands required to run cluster reports. Sudo typically uses aliases to define the entire command string.

To configure sudo either use visudo (not vi) or YaST.

Warning
Warning: Do not use vi

For sudo configuration from command line, you must edit the sudoers file as root with visudo. Using any other editor may result in syntax or file permission errors that prevent sudo from running.

Requirements
  • A non-root user with no sudo privileges. The following procedure uses an example user called hareport.

  • The user hareport exists on all nodes in the cluster.

  • The user hareport can access all other nodes in the cluster via passwordless SSH.

Procedure D.1: Configuring limited sudo privileges for a non-root user
  1. Log in as root.

  2. To open the /etc/sudoers file, enter visudo.

  3. Look for the following categories: Host alias specification, User alias specification, Cmnd alias specification, and Runas alias specification.

  4. Add the following entries to the respective categories in /etc/sudoers:

    Host_Alias	CLUSTER = alice,bob,charlie 1
    User_Alias HA = hareport 2
    Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report*3
    Runas_Alias R = root 4

    1

    The host alias defines on which server (or range of servers) the sudo user has rights to issue commands. In the host alias you can use DNS names, or IP addresses, or specify an entire network range (for example, 172.17.12.0/24). To limit the scope of access you should specify the host names for the cluster nodes only.

    2

    The user alias allows you to add multiple local user accounts to a single alias. However, in this case only one account is being used.

    3

    The command alias defines which commands can be executed by the user. This is useful if you need to limit what the non-root user can access when using sudo. In this case the hareport user account needs access to the commands crm report and su.

    4

    The runas alias specifies the account that the command will be run as, in this case root.

  5. Search for the following two lines:

    Defaults targetpw
    ALL     ALL=(ALL) ALL

    As they would conflict with the setup we want to create, disable them:

    #Defaults targetpw
    #ALL     ALL=(ALL) ALL
  6. Look for the User privilege specification category. After having defined the aliases above, you can now add the following rule there:

    HA	CLUSTER = (R) NOPASSWD:HA_ALLOWED

    The NOPASSWORD option ensures that the user hareport can execute the cluster report without providing a password.

  7. (Optional) To allow the user hareport to run cluster reports using your local SSH keys, add the following line to the Defaults specification category. This preserves the SSH_AUTH_SOCK environment variable, which is required for SSH agent forwarding.

    Defaults!HA_ALLOWED env_keep+=SSH_AUTH_SOCK

    When you log in to a node as the user hareport via ssh -A and use sudo to run crm report, your local SSH keys are passed to the node for authentication.

Important
Important: Same sudo configuration is required on each cluster node

This sudo configuration must be made on all nodes in the cluster. No other changes are needed for sudo and no services need to be restarted.