[ClusterLabs] PCS ACL for the "pcs cluster stop" command

Miroslav Lisik mlisik at redhat.com
Mon Oct 16 08:28:04 EDT 2023 

Hi Roberto!

On 10/13/23 10:13, Roberto Rodrigos wrote:
> good day!
> I use the configuration to create an ACL, it is shown below. How can I 
> restrict access to the "pcs cluster stop" command for a user?
> 
There is way to restrict access to the `pcs cluster stop` command but you
need to change permission settings in pcs-web-ui. It cannot be done from
CLI.

Here is procedure:
1. create a system user and add it to the 'haclient' group
2. login as hacluster user in the pcs-web-ui on some cluster node
(https://hostname:2224/ui)
3. add existing cluster
4. go to the cluster settings and click on permissions tab
5. remove permissions for haclient group or restric access to "Read"
6. add "Read" permissions for your created user.

This will restrict access to the `pcs cluster stop` command but also to
other commands which do some changes over pcsd daemon.
Here is problably not the complete list of affected commands:
* pcs cluster destroy
* pcs cluster enable/disable
* pcs cluster node
* pcs cluster start/stop
* pcs cluster sync
* pcs pcsd sync-certificates

This will also restrict the user and haclient group from access to web
UI actions which change CIB configuration (e.g. managing resources) but
CLI commands working with the CIB configuration will still work (e.g
`pcs resource create`), so you need to use pacemaker ACLs for further
user restrictions.
> 
> useradd rouser -m -G haclient
> useradd rwuser -m -G haclient
> passwd rwuser
> passwd rouser
> pcs acl enable
> pcs acl role create read-only description="Read access to cluster" read 
> xpath /cib
> pcs acl role create write-access description="Full access" write xpath /cib
> pcs acl permission add write_config write xpath /cib/configuration
> pcs acl permission add write_config write xpath 
> //crm_config//nvpair[@name='maintenance-mode']
> pcs acl permission add write_config write xpath 
> //nvpair[@name='maintenance']
> pcs acl permission add write_config write xpath //resources
> pcs acl permission add write_config write xpath //constraints
> pcs acl user create rouser read-only
> pcs acl user create rwuser write-access
> pcs acl role assign read-only to rouser
> pcs acl role assign write_config to rwuser
> 
> User: rouser
>    Roles: read-only
> User: rwuser
>    Roles: write-access write_config
> Role: read-only
>    Description: Read access to cluster
>    Permission: read xpath /cib (read-only-read)
> Role: write-access
>    Description: Full access
>    Permission: write xpath /cib (write-access-write)
> Role: write_config
>    Permission: write xpath /cib/configuration (write_config-write)
>    Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] 
> (write_config-write-1)
>    Permission: write xpath //nvpair[@name=maintenance] 
> (write_config-write-2)
>    Permission: write xpath //resources (write_config-write-3)
>    Permission: write xpath //constraints (write_config-write-4)
> 
> su rouser
> Username: rouser
> Password:
> localhost: Authorized
> pcs cluster stop
> Stopping Cluster (pacemaker)...
> Stopping Cluster (corosync)...
> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
Regards,
Miroslav

More information about the Users mailing list