Pacemaker ACL with "write xpath /cib" permission does not allow the creation of constraints

Solution In Progress - Updated -


  • A user's Pacemaker ACL role has full write permissions, but creating a constraint fails as shown below.
[testuser@fastvm-rhel-7-6-21 ~]$ pcs acl
ACLs are enabled

User: testuser
  Roles: ATSE_Admin
Role: ATSE_Admin
  Description: admin
  Permission: write xpath /cib (ATSE_Admin-write)

[testuser@fastvm-rhel-7-6-21 ~]$ groups
testuser haclient

[testuser@fastvm-rhel-7-6-21 ~]$ pcs constraint location my_dummy prefers fastvm-rhel-7-6-21 
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied


  • Red Hat Enterprise Linux 7 (with the High Availability Add-on)
  • Red Hat Enterprise Linux 8 (with the High Availability Add-on)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content