Pacemaker ACL with "write xpath /cib" permission does not allow the creation of constraints

Solution In Progress - Updated -


  • A user's Pacemaker ACL role has full write permissions, but creating a constraint fails as shown below.
[testuser@fastvm-rhel-7-6-21 ~]$ pcs acl
ACLs are enabled

User: testuser
  Roles: ATSE_Admin
Role: ATSE_Admin
  Description: admin
  Permission: write xpath /cib (ATSE_Admin-write)

[testuser@fastvm-rhel-7-6-21 ~]$ groups
testuser haclient

[testuser@fastvm-rhel-7-6-21 ~]$ pcs constraint location my_dummy prefers fastvm-rhel-7-6-21 
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied


  • Red Hat Enterprise Linux 7 (with the High Availability Add-on)
  • Red Hat Enterprise Linux 8 (with the High Availability Add-on)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In