<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl <<a href="mailto:nwahl@redhat.com">nwahl@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl <<a href="mailto:nwahl@redhat.com" target="_blank">nwahl@redhat.com</a>> wrote:<br>
><br>
> On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos <<a href="mailto:robson2445@gmail.com" target="_blank">robson2445@gmail.com</a>> wrote:<br>
> ><br>
> > good day!<br>
> > I use the configuration to create an ACL, it is shown below. How can I restrict access to the "pcs cluster stop" command for a user?<br>
><br>
> I don't think you can. ACLs are implemented in Pacemaker; pcs simply<br>
> provides an interface to manage them.<br>
><br>
> `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl<br>
> stop corosync`. So it doesn't interact with the Pacemaker ACLs. It<br>
> just stops the service.<br>
<br>
In my experience only the root user can run `pcs cluster stop`<br>
successfully anyway<br></blockquote><div><br></div><div>Haven't actually tried it but in a setup running pcsd stop commands would</div><div>run in the context of pcsd and so it might still be possible to trigger commands</div><div>by a non root user which wouldn't work being called directly.</div><div><br></div><div>Klaus </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
><br>
> > useradd rouser -m -G haclient<br>
> > useradd rwuser -m -G haclient<br>
> > passwd rwuser<br>
> > passwd rouser<br>
> > pcs acl enable<br>
> > pcs acl role create read-only description="Read access to cluster" read xpath /cib<br>
> > pcs acl role create write-access description="Full access" write xpath /cib<br>
> > pcs acl permission add write_config write xpath /cib/configuration<br>
> > pcs acl permission add write_config write xpath //crm_config//nvpair[@name='maintenance-mode']<br>
> > pcs acl permission add write_config write xpath //nvpair[@name='maintenance']<br>
> > pcs acl permission add write_config write xpath //resources<br>
> > pcs acl permission add write_config write xpath //constraints<br>
> > pcs acl user create rouser read-only<br>
> > pcs acl user create rwuser write-access<br>
> > pcs acl role assign read-only to rouser<br>
> > pcs acl role assign write_config to rwuser<br>
> ><br>
> > User: rouser<br>
> > Roles: read-only<br>
> > User: rwuser<br>
> > Roles: write-access write_config<br>
> > Role: read-only<br>
> > Description: Read access to cluster<br>
> > Permission: read xpath /cib (read-only-read)<br>
> > Role: write-access<br>
> > Description: Full access<br>
> > Permission: write xpath /cib (write-access-write)<br>
> > Role: write_config<br>
> > Permission: write xpath /cib/configuration (write_config-write)<br>
> > Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] (write_config-write-1)<br>
> > Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)<br>
> > Permission: write xpath //resources (write_config-write-3)<br>
> > Permission: write xpath //constraints (write_config-write-4)<br>
> ><br>
> > su rouser<br>
> > Username: rouser<br>
> > Password:<br>
> > localhost: Authorized<br>
> > pcs cluster stop<br>
> > Stopping Cluster (pacemaker)...<br>
> > Stopping Cluster (corosync)...<br>
> ><br>
> > _______________________________________________<br>
> > Manage your subscription:<br>
> > <a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
> ><br>
> > ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
><br>
> Reid Wahl (He/Him)<br>
> Senior Software Engineer, Red Hat<br>
> RHEL High Availability - Pacemaker<br>
<br>
<br>
<br>
-- <br>
Regards,<br>
<br>
Reid Wahl (He/Him)<br>
Senior Software Engineer, Red Hat<br>
RHEL High Availability - Pacemaker<br>
<br>
_______________________________________________<br>
Manage your subscription:<br>
<a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
<br>
ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
</blockquote></div></div>