D Running cluster reports without root access #
All cluster nodes must be able to access each other via SSH. Tools like
crm report (for
troubleshooting) and Hawk2's require
passwordless SSH access between the nodes, otherwise they can only collect
data from the current node.
If your security policy does not allow passwordless root SSH login,
then running crm report as root fails on all remote nodes.
In this case, you can still run cluster reports with one of the following options:
If the cluster was initialized by a non-root user with
sudoprivileges, this user can run cluster reports.If the cluster was initialized by the
rootuser, you can create a dedicated non-root user to run cluster reports.
The following procedure describes how to give a non-root user limited privileges so
that it can use sudo to run crm report, but
otherwise has no sudo access.
D.1 Configuring limited sudo privileges for a non-root user #
The sudo command allows a regular user to quickly
become root and issue a command, with or without providing a
password. Sudo access can be given to all root-level commands or to
specific commands only. This procedure describes how to configure sudo
privileges only for the specific commands required to run cluster reports.
Sudo typically uses aliases to define the entire command string.
To configure sudo either use visudo
(not vi) or YaST.
For sudo configuration from command line, you must edit the sudoers file
as root with visudo. Using any other editor may
result in syntax or file permission errors that prevent sudo from
running.
A non-root user with no
sudoprivileges. The following procedure uses an example user calledhareport.The user
hareportexists on all nodes in the cluster.The user
hareportcan access all other nodes in the cluster via passwordless SSH.
sudo privileges for a non-root user #Log in as
root.To open the
/etc/sudoersfile, entervisudo.Look for the following categories:
Host alias specification,User alias specification,Cmnd alias specification, andRunas alias specification.Add the following entries to the respective categories in
/etc/sudoers:Host_Alias CLUSTER = alice,bob,charlie 1 User_Alias HA = hareport 2 Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report*3 Runas_Alias R = root 4
The host alias defines on which server (or range of servers) the sudo user has rights to issue commands. In the host alias you can use DNS names, or IP addresses, or specify an entire network range (for example,
172.17.12.0/24). To limit the scope of access you should specify the host names for the cluster nodes only.The user alias allows you to add multiple local user accounts to a single alias. However, in this case only one account is being used.
The command alias defines which commands can be executed by the user. This is useful if you need to limit what the non-root user can access when using
sudo. In this case thehareportuser account needs access to the commandscrm reportandsu.The
runasalias specifies the account that the command will be run as, in this caseroot.Search for the following two lines:
Defaults targetpw ALL ALL=(ALL) ALL
As they would conflict with the setup we want to create, disable them:
#Defaults targetpw #ALL ALL=(ALL) ALL
Look for the
User privilege specificationcategory. After having defined the aliases above, you can now add the following rule there:HA CLUSTER = (R) NOPASSWD:HA_ALLOWED
The
NOPASSWORDoption ensures that the userhareportcan execute the cluster report without providing a password.(Optional) To allow the user
hareportto run cluster reports using your local SSH keys, add the following line to theDefaults specificationcategory. This preserves theSSH_AUTH_SOCKenvironment variable, which is required for SSH agent forwarding.Defaults!HA_ALLOWED env_keep+=SSH_AUTH_SOCK
When you log in to a node as the user
hareportviassh -Aand usesudoto runcrm report, your local SSH keys are passed to the node for authentication.
This sudo configuration must be made on all nodes in the cluster. No other changes are needed for sudo and no services need to be restarted.