[ClusterLabs] PCS ACL for the "pcs cluster stop" command

Reid Wahl nwahl at redhat.com
Fri Oct 13 15:19:09 EDT 2023 

On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos <robson2445 at gmail.com> wrote:
>
> good day!
> I use the configuration to create an ACL, it is shown below. How can I restrict access to the "pcs cluster stop" command for a user?

I don't think you can. ACLs are implemented in Pacemaker; pcs simply
provides an interface to manage them.

`pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl
stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
just stops the service.

> useradd rouser -m -G haclient
> useradd rwuser -m -G haclient
> passwd rwuser
> passwd rouser
> pcs acl enable
> pcs acl role create read-only description="Read access to cluster" read xpath /cib
> pcs acl role create write-access description="Full access" write xpath /cib
> pcs acl permission add write_config write xpath /cib/configuration
> pcs acl permission add write_config write xpath //crm_config//nvpair[@name='maintenance-mode']
> pcs acl permission add write_config write xpath //nvpair[@name='maintenance']
> pcs acl permission add write_config write xpath //resources
> pcs acl permission add write_config write xpath //constraints
> pcs acl user create rouser read-only
> pcs acl user create rwuser write-access
> pcs acl role assign read-only to rouser
> pcs acl role assign write_config to rwuser
>
> User: rouser
>   Roles: read-only
> User: rwuser
>   Roles: write-access write_config
> Role: read-only
>   Description: Read access to cluster
>   Permission: read xpath /cib (read-only-read)
> Role: write-access
>   Description: Full access
>   Permission: write xpath /cib (write-access-write)
> Role: write_config
>   Permission: write xpath /cib/configuration (write_config-write)
>   Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] (write_config-write-1)
>   Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)
>   Permission: write xpath //resources (write_config-write-3)
>   Permission: write xpath //constraints (write_config-write-4)
>
> su rouser
> Username: rouser
> Password:
> localhost: Authorized
> pcs cluster stop
> Stopping Cluster (pacemaker)...
> Stopping Cluster (corosync)...
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/



-- 
Regards,

Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker

More information about the Users mailing list