Cluster verify checks server.pem permissions

Currently, ConfD must be able to access server.pem (though this is likely to
change in the future). If this is not true, all sorts of weird things happen,
such as "gnt-node list" printing lots of question marks instead of actual
data, with no meaningful error.

This patch adds a check for the proper access permission to
"gnt-cluster verify".

Fixes Issue 518.

Signed-off-by: Michele Tartara <mtartara@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

diff --git a/lib/cmdlib/cluster.py b/lib/cmdlib/cluster.py
index 9ced853..d3e26bd 100644 (file)
--- a/lib/cmdlib/cluster.py
+++ b/lib/cmdlib/cluster.py
@@ -1277,6 +1277,13 @@ class LUClusterVerifyConfig(NoHooksLU, _VerifyErrors):
       (errcode, msg) = _VerifyCertificate(cert_filename)
       self._ErrorIf(errcode, constants.CV_ECLUSTERCERT, None, msg, code=errcode)
 
+    self._ErrorIf(not utils.CanRead(constants.CONFD_USER,
+                                    pathutils.NODED_CERT_FILE),
+                  constants.CV_ECLUSTERCERT,
+                  None,
+                  pathutils.NODED_CERT_FILE + " must be accessible by the " +
+                    constants.CONFD_USER + " user")
+
     feedback_fn("* Verifying hypervisor parameters")
 
     self._VerifyHVP(_GetAllHypervisorParameters(self.cfg.GetClusterInfo(),