subject:"\[ClusterLabs\] PCS ACL for the \"pcs cluster stop\" command"

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-16 Thread Miroslav Lisik




On 10/16/23 12:16, Klaus Wenninger wrote:



On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl > wrote:


On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl mailto:nw...@redhat.com>> wrote:
 >
 > On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos
mailto:robson2...@gmail.com>> wrote:
 > >
 > > good day!
 > > I use the configuration to create an ACL, it is shown below.
How can I restrict access to the "pcs cluster stop" command for a user?
 >
 > I don't think you can. ACLs are implemented in Pacemaker; pcs simply
 > provides an interface to manage them.
 >
 > `pcs cluster stop` basically runs `systemctl stop pacemaker;
systemctl
 > stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
 > just stops the service.

In my experience only the root user can run `pcs cluster stop`
successfully anyway


Haven't actually tried it but in a setup running pcsd stop commands would
run in the context of pcsd and so it might still be possible to trigger 
commands

by a non root user which wouldn't work being called directly.

Klaus


Every user in haclient group with default pcsd permissions for haclient
group can run such commands like `pcs cluster stop` except `pcs cluster
node add` after authentication to the local pcsd.

[user@hostname ~]$ groups
user haclient
[user@hostname ~]$ pcs cluster stop
Warning: Unable to read the known-hosts file: No such file or directory: 
'/home/user/.pcs/known-hosts'
Error: Unable to authenticate against the local pcsd. Run the same 
command as root or authenticate yourself to the local pcsd using command 
'pcs client local-auth'

[user@hostname ~]$ pcs client local-auth -u user
Password:
localhost: Authorized
[user@hostname ~]$ pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...


 >
 > > useradd rouser -m -G haclient
 > > useradd rwuser -m -G haclient
 > > passwd rwuser
 > > passwd rouser
 > > pcs acl enable
 > > pcs acl role create read-only description="Read access to
cluster" read xpath /cib
 > > pcs acl role create write-access description="Full access"
write xpath /cib
 > > pcs acl permission add write_config write xpath /cib/configuration
 > > pcs acl permission add write_config write xpath
//crm_config//nvpair[@name='maintenance-mode']
 > > pcs acl permission add write_config write xpath
//nvpair[@name='maintenance']
 > > pcs acl permission add write_config write xpath //resources
 > > pcs acl permission add write_config write xpath //constraints
 > > pcs acl user create rouser read-only
 > > pcs acl user create rwuser write-access
 > > pcs acl role assign read-only to rouser
 > > pcs acl role assign write_config to rwuser
 > >
 > > User: rouser
 > >   Roles: read-only
 > > User: rwuser
 > >   Roles: write-access write_config
 > > Role: read-only
 > >   Description: Read access to cluster
 > >   Permission: read xpath /cib (read-only-read)
 > > Role: write-access
 > >   Description: Full access
 > >   Permission: write xpath /cib (write-access-write)
 > > Role: write_config
 > >   Permission: write xpath /cib/configuration (write_config-write)
 > >   Permission: write xpath
//crm_config//nvpair[@name=maintenance-mode] (write_config-write-1)
 > >   Permission: write xpath //nvpair[@name=maintenance]
(write_config-write-2)
 > >   Permission: write xpath //resources (write_config-write-3)
 > >   Permission: write xpath //constraints (write_config-write-4)
 > >
 > > su rouser
 > > Username: rouser
 > > Password:
 > > localhost: Authorized
 > > pcs cluster stop
 > > Stopping Cluster (pacemaker)...
 > > Stopping Cluster (corosync)...
 > >
 > > ___
 > > Manage your subscription:
 > > https://lists.clusterlabs.org/mailman/listinfo/users

 > >
 > > ClusterLabs home: https://www.clusterlabs.org/

 >
 >
 >
 > --
 > Regards,
 >
 > Reid Wahl (He/Him)
 > Senior Software Engineer, Red Hat
 > RHEL High Availability - Pacemaker



-- 
Regards,


Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users


ClusterLabs home: https://www.clusterlabs.org/



___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/


___
Manage your subscription:

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-16 Thread Miroslav Lisik


Hi Roberto!

On 10/13/23 10:13, Roberto Rodrigos wrote:

good day!
I use the configuration to create an ACL, it is shown below. How can I 
restrict access to the "pcs cluster stop" command for a user?



There is way to restrict access to the `pcs cluster stop` command but you
need to change permission settings in pcs-web-ui. It cannot be done from
CLI.

Here is procedure:
1. create a system user and add it to the 'haclient' group
2. login as hacluster user in the pcs-web-ui on some cluster node
(https://hostname:2224/ui)
3. add existing cluster
4. go to the cluster settings and click on permissions tab
5. remove permissions for haclient group or restric access to "Read"
6. add "Read" permissions for your created user.

This will restrict access to the `pcs cluster stop` command but also to
other commands which do some changes over pcsd daemon.
Here is problably not the complete list of affected commands:
* pcs cluster destroy
* pcs cluster enable/disable
* pcs cluster node
* pcs cluster start/stop
* pcs cluster sync
* pcs pcsd sync-certificates

This will also restrict the user and haclient group from access to web
UI actions which change CIB configuration (e.g. managing resources) but
CLI commands working with the CIB configuration will still work (e.g
`pcs resource create`), so you need to use pacemaker ACLs for further
user restrictions.


useradd rouser -m -G haclient
useradd rwuser -m -G haclient
passwd rwuser
passwd rouser
pcs acl enable
pcs acl role create read-only description="Read access to cluster" read 
xpath /cib

pcs acl role create write-access description="Full access" write xpath /cib
pcs acl permission add write_config write xpath /cib/configuration
pcs acl permission add write_config write xpath 
//crm_config//nvpair[@name='maintenance-mode']
pcs acl permission add write_config write xpath 
//nvpair[@name='maintenance']

pcs acl permission add write_config write xpath //resources
pcs acl permission add write_config write xpath //constraints
pcs acl user create rouser read-only
pcs acl user create rwuser write-access
pcs acl role assign read-only to rouser
pcs acl role assign write_config to rwuser

User: rouser
   Roles: read-only
User: rwuser
   Roles: write-access write_config
Role: read-only
   Description: Read access to cluster
   Permission: read xpath /cib (read-only-read)
Role: write-access
   Description: Full access
   Permission: write xpath /cib (write-access-write)
Role: write_config
   Permission: write xpath /cib/configuration (write_config-write)
   Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] 
(write_config-write-1)
   Permission: write xpath //nvpair[@name=maintenance] 
(write_config-write-2)

   Permission: write xpath //resources (write_config-write-3)
   Permission: write xpath //constraints (write_config-write-4)

su rouser
Username: rouser
Password:
localhost: Authorized
pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...


___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Regards,
Miroslav

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-16 Thread Klaus Wenninger

On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl  wrote:

> On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl  wrote:
> >
> > On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos 
> wrote:
> > >
> > > good day!
> > > I use the configuration to create an ACL, it is shown below. How can I
> restrict access to the "pcs cluster stop" command for a user?
> >
> > I don't think you can. ACLs are implemented in Pacemaker; pcs simply
> > provides an interface to manage them.
> >
> > `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl
> > stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
> > just stops the service.
>
> In my experience only the root user can run `pcs cluster stop`
> successfully anyway
>

Haven't actually tried it but in a setup running pcsd stop commands would
run in the context of pcsd and so it might still be possible to trigger
commands
by a non root user which wouldn't work being called directly.

Klaus

>
> >
> > > useradd rouser -m -G haclient
> > > useradd rwuser -m -G haclient
> > > passwd rwuser
> > > passwd rouser
> > > pcs acl enable
> > > pcs acl role create read-only description="Read access to cluster"
> read xpath /cib
> > > pcs acl role create write-access description="Full access" write xpath
> /cib
> > > pcs acl permission add write_config write xpath /cib/configuration
> > > pcs acl permission add write_config write xpath
> //crm_config//nvpair[@name='maintenance-mode']
> > > pcs acl permission add write_config write xpath
> //nvpair[@name='maintenance']
> > > pcs acl permission add write_config write xpath //resources
> > > pcs acl permission add write_config write xpath //constraints
> > > pcs acl user create rouser read-only
> > > pcs acl user create rwuser write-access
> > > pcs acl role assign read-only to rouser
> > > pcs acl role assign write_config to rwuser
> > >
> > > User: rouser
> > >   Roles: read-only
> > > User: rwuser
> > >   Roles: write-access write_config
> > > Role: read-only
> > >   Description: Read access to cluster
> > >   Permission: read xpath /cib (read-only-read)
> > > Role: write-access
> > >   Description: Full access
> > >   Permission: write xpath /cib (write-access-write)
> > > Role: write_config
> > >   Permission: write xpath /cib/configuration (write_config-write)
> > >   Permission: write xpath //crm_config//nvpair[@name=maintenance-mode]
> (write_config-write-1)
> > >   Permission: write xpath //nvpair[@name=maintenance]
> (write_config-write-2)
> > >   Permission: write xpath //resources (write_config-write-3)
> > >   Permission: write xpath //constraints (write_config-write-4)
> > >
> > > su rouser
> > > Username: rouser
> > > Password:
> > > localhost: Authorized
> > > pcs cluster stop
> > > Stopping Cluster (pacemaker)...
> > > Stopping Cluster (corosync)...
> > >
> > > ___
> > > Manage your subscription:
> > > https://lists.clusterlabs.org/mailman/listinfo/users
> > >
> > > ClusterLabs home: https://www.clusterlabs.org/
> >
> >
> >
> > --
> > Regards,
> >
> > Reid Wahl (He/Him)
> > Senior Software Engineer, Red Hat
> > RHEL High Availability - Pacemaker
>
>
>
> --
> Regards,
>
> Reid Wahl (He/Him)
> Senior Software Engineer, Red Hat
> RHEL High Availability - Pacemaker
>
> ___
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-13 Thread Reid Wahl

On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl  wrote:
>
> On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos  wrote:
> >
> > good day!
> > I use the configuration to create an ACL, it is shown below. How can I 
> > restrict access to the "pcs cluster stop" command for a user?
>
> I don't think you can. ACLs are implemented in Pacemaker; pcs simply
> provides an interface to manage them.
>
> `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl
> stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
> just stops the service.

In my experience only the root user can run `pcs cluster stop`
successfully anyway

>
> > useradd rouser -m -G haclient
> > useradd rwuser -m -G haclient
> > passwd rwuser
> > passwd rouser
> > pcs acl enable
> > pcs acl role create read-only description="Read access to cluster" read 
> > xpath /cib
> > pcs acl role create write-access description="Full access" write xpath /cib
> > pcs acl permission add write_config write xpath /cib/configuration
> > pcs acl permission add write_config write xpath 
> > //crm_config//nvpair[@name='maintenance-mode']
> > pcs acl permission add write_config write xpath 
> > //nvpair[@name='maintenance']
> > pcs acl permission add write_config write xpath //resources
> > pcs acl permission add write_config write xpath //constraints
> > pcs acl user create rouser read-only
> > pcs acl user create rwuser write-access
> > pcs acl role assign read-only to rouser
> > pcs acl role assign write_config to rwuser
> >
> > User: rouser
> >   Roles: read-only
> > User: rwuser
> >   Roles: write-access write_config
> > Role: read-only
> >   Description: Read access to cluster
> >   Permission: read xpath /cib (read-only-read)
> > Role: write-access
> >   Description: Full access
> >   Permission: write xpath /cib (write-access-write)
> > Role: write_config
> >   Permission: write xpath /cib/configuration (write_config-write)
> >   Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] 
> > (write_config-write-1)
> >   Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)
> >   Permission: write xpath //resources (write_config-write-3)
> >   Permission: write xpath //constraints (write_config-write-4)
> >
> > su rouser
> > Username: rouser
> > Password:
> > localhost: Authorized
> > pcs cluster stop
> > Stopping Cluster (pacemaker)...
> > Stopping Cluster (corosync)...
> >
> > ___
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> >
> > ClusterLabs home: https://www.clusterlabs.org/
>
>
>
> --
> Regards,
>
> Reid Wahl (He/Him)
> Senior Software Engineer, Red Hat
> RHEL High Availability - Pacemaker



-- 
Regards,

Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-13 Thread Reid Wahl

On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos  wrote:
>
> good day!
> I use the configuration to create an ACL, it is shown below. How can I 
> restrict access to the "pcs cluster stop" command for a user?

I don't think you can. ACLs are implemented in Pacemaker; pcs simply
provides an interface to manage them.

`pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl
stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
just stops the service.

> useradd rouser -m -G haclient
> useradd rwuser -m -G haclient
> passwd rwuser
> passwd rouser
> pcs acl enable
> pcs acl role create read-only description="Read access to cluster" read xpath 
> /cib
> pcs acl role create write-access description="Full access" write xpath /cib
> pcs acl permission add write_config write xpath /cib/configuration
> pcs acl permission add write_config write xpath 
> //crm_config//nvpair[@name='maintenance-mode']
> pcs acl permission add write_config write xpath //nvpair[@name='maintenance']
> pcs acl permission add write_config write xpath //resources
> pcs acl permission add write_config write xpath //constraints
> pcs acl user create rouser read-only
> pcs acl user create rwuser write-access
> pcs acl role assign read-only to rouser
> pcs acl role assign write_config to rwuser
>
> User: rouser
>   Roles: read-only
> User: rwuser
>   Roles: write-access write_config
> Role: read-only
>   Description: Read access to cluster
>   Permission: read xpath /cib (read-only-read)
> Role: write-access
>   Description: Full access
>   Permission: write xpath /cib (write-access-write)
> Role: write_config
>   Permission: write xpath /cib/configuration (write_config-write)
>   Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] 
> (write_config-write-1)
>   Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)
>   Permission: write xpath //resources (write_config-write-3)
>   Permission: write xpath //constraints (write_config-write-4)
>
> su rouser
> Username: rouser
> Password:
> localhost: Authorized
> pcs cluster stop
> Stopping Cluster (pacemaker)...
> Stopping Cluster (corosync)...
>
> ___
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/



-- 
Regards,

Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

[ClusterLabs] PCS ACL for the "pcs cluster stop" command

2023-10-13 Thread Roberto Rodrigos

good day!
I use the configuration to create an ACL, it is shown below. How can I
restrict access to the "pcs cluster stop" command for a user?


useradd rouser -m -G haclient
useradd rwuser -m -G haclient
passwd rwuser
passwd rouser
pcs acl enable
pcs acl role create read-only description="Read access to cluster" read
xpath /cib
pcs acl role create write-access description="Full access" write xpath /cib
pcs acl permission add write_config write xpath /cib/configuration
pcs acl permission add write_config write xpath
//crm_config//nvpair[@name='maintenance-mode']
pcs acl permission add write_config write xpath
//nvpair[@name='maintenance']
pcs acl permission add write_config write xpath //resources
pcs acl permission add write_config write xpath //constraints
pcs acl user create rouser read-only
pcs acl user create rwuser write-access
pcs acl role assign read-only to rouser
pcs acl role assign write_config to rwuser

User: rouser
  Roles: read-only
User: rwuser
  Roles: write-access write_config
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
Role: write-access
  Description: Full access
  Permission: write xpath /cib (write-access-write)
Role: write_config
  Permission: write xpath /cib/configuration (write_config-write)
  Permission: write xpath //crm_config//nvpair[@name=maintenance-mode]
(write_config-write-1)
  Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2)
  Permission: write xpath //resources (write_config-write-3)
  Permission: write xpath //constraints (write_config-write-4)

su rouser
Username: rouser
Password:
localhost: Authorized
pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

Re: [ClusterLabs] PCS ACL for the "pcs cluster stop" command

[ClusterLabs] PCS ACL for the "pcs cluster stop" command

6 matches

Site Navigation

Mail list logo

Footer information