[ClusterLabs] PCS ACL for the "pcs cluster stop" command
Klaus Wenninger
kwenning at redhat.com
Mon Oct 16 06:16:09 EDT 2023
On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl <nwahl at redhat.com> wrote:
> On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl <nwahl at redhat.com> wrote:
> >
> > On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos <robson2445 at gmail.com>
> wrote:
> > >
> > > good day!
> > > I use the configuration to create an ACL, it is shown below. How can I
> restrict access to the "pcs cluster stop" command for a user?
> >
> > I don't think you can. ACLs are implemented in Pacemaker; pcs simply
> > provides an interface to manage them.
> >
> > `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl
> > stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
> > just stops the service.
>
> In my experience only the root user can run `pcs cluster stop`
> successfully anyway
>
Haven't actually tried it but in a setup running pcsd stop commands would
run in the context of pcsd and so it might still be possible to trigger
commands
by a non root user which wouldn't work being called directly.
Klaus
>
> >
> > > useradd rouser -m -G haclient
> > > useradd rwuser -m -G haclient
> > > passwd rwuser
> > > passwd rouser
> > > pcs acl enable
> > > pcs acl role create read-only description="Read access to cluster"
> read xpath /cib
> > > pcs acl role create write-access description="Full access" write xpath
> /cib
> > > pcs acl permission add write_config write xpath /cib/configuration
> > > pcs acl permission add write_config write xpath
> //crm_config//nvpair[@name='maintenance-mode']
> > > pcs acl permission add write_config write xpath
> //nvpair[@name='maintenance']
> > > pcs acl permission add write_config write xpath //resources
> > > pcs acl permission add write_config write xpath //constraints
> > > pcs acl user create rouser read-only
> > > pcs acl user create rwuser write-access
> > > pcs acl role assign read-only to rouser
> > > pcs acl role assign write_config to rwuser
> > >
> > > User: rouser
> > > Roles: read-only
> > > User: rwuser
> > > Roles: write-access write_config
> > > Role: read-only
> > > Description: Read access to cluster
> > > Permission: read xpath /cib (read-only-read)
> > > Role: write-access
> > > Description: Full access
> > > Permission: write xpath /cib (write-access-write)
> > > Role: write_config
> > > Permission: write xpath /cib/configuration (write_config-write)
> > > Permission: write xpath //crm_config//nvpair[@name=maintenance-mode]
> (write_config-write-1)
> > > Permission: write xpath //nvpair[@name=maintenance]
> (write_config-write-2)
> > > Permission: write xpath //resources (write_config-write-3)
> > > Permission: write xpath //constraints (write_config-write-4)
> > >
> > > su rouser
> > > Username: rouser
> > > Password:
> > > localhost: Authorized
> > > pcs cluster stop
> > > Stopping Cluster (pacemaker)...
> > > Stopping Cluster (corosync)...
> > >
> > > _______________________________________________
> > > Manage your subscription:
> > > https://lists.clusterlabs.org/mailman/listinfo/users
> > >
> > > ClusterLabs home: https://www.clusterlabs.org/
> >
> >
> >
> > --
> > Regards,
> >
> > Reid Wahl (He/Him)
> > Senior Software Engineer, Red Hat
> > RHEL High Availability - Pacemaker
>
>
>
> --
> Regards,
>
> Reid Wahl (He/Him)
> Senior Software Engineer, Red Hat
> RHEL High Availability - Pacemaker
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20231016/bfc136ad/attachment-0001.htm>
More information about the Users
mailing list