[ClusterLabs] PCS ACL for the "pcs cluster stop" command

[Roberto Rodrigos]

good day!
I use the configuration to create an ACL, it is shown below. How can I
restrict access to the "pcs cluster stop" command for a user?


useradd rouser -m -G haclient
useradd rwuser -m -G haclient
passwd rwuser
passwd rouser
pcs acl enable
pcs acl role create read-only description="Read access to cluster" read
xpath /cib
pcs acl role create write-access description="Full access" write xpath /cib
pcs acl permission add write_config write xpath /cib/configuration
pcs acl permission add write_config write xpath
//crm_config//nvpair[@name='maintenance-mode']
pcs acl permission add write_config write xpath
//nvpair[@name='maintenance']
pcs acl permission add write_config write xpath //resources
pcs acl permission add write_config write xpath //constraints
pcs acl user create rouser read-only
pcs acl user create rwuser write-access
pcs acl role assign read-only to rouser
pcs acl role assign write_config to rwuser

User: rouser
  Roles: read-only
User: rwuser
  Roles: write-access write_config
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
Role: write-access
  Description: Full access
  Permission: write xpath /cib (write-access-write)
Role: write_config
  Permission: write xpath /cib/configuration (write_config-write)
  Permission: write xpath //crm_config//nvpair[@name=maintenance-mode]
(write_config-write-1)
  Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)
  Permission: write xpath //resources (write_config-write-3)
  Permission: write xpath //constraints (write_config-write-4)

su rouser
Username: rouser
Password:
localhost: Authorized
pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20231013/25a8b9ab/attachment.htm>