On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos <robson2...@gmail.com> wrote: > > good day! > I use the configuration to create an ACL, it is shown below. How can I > restrict access to the "pcs cluster stop" command for a user?
I don't think you can. ACLs are implemented in Pacemaker; pcs simply provides an interface to manage them. `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl stop corosync`. So it doesn't interact with the Pacemaker ACLs. It just stops the service. > useradd rouser -m -G haclient > useradd rwuser -m -G haclient > passwd rwuser > passwd rouser > pcs acl enable > pcs acl role create read-only description="Read access to cluster" read xpath > /cib > pcs acl role create write-access description="Full access" write xpath /cib > pcs acl permission add write_config write xpath /cib/configuration > pcs acl permission add write_config write xpath > //crm_config//nvpair[@name='maintenance-mode'] > pcs acl permission add write_config write xpath //nvpair[@name='maintenance'] > pcs acl permission add write_config write xpath //resources > pcs acl permission add write_config write xpath //constraints > pcs acl user create rouser read-only > pcs acl user create rwuser write-access > pcs acl role assign read-only to rouser > pcs acl role assign write_config to rwuser > > User: rouser > Roles: read-only > User: rwuser > Roles: write-access write_config > Role: read-only > Description: Read access to cluster > Permission: read xpath /cib (read-only-read) > Role: write-access > Description: Full access > Permission: write xpath /cib (write-access-write) > Role: write_config > Permission: write xpath /cib/configuration (write_config-write) > Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] > (write_config-write-1) > Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2) > Permission: write xpath //resources (write_config-write-3) > Permission: write xpath //constraints (write_config-write-4) > > su rouser > Username: rouser > Password: > localhost: Authorized > pcs cluster stop > Stopping Cluster (pacemaker)... > Stopping Cluster (corosync)... > > _______________________________________________ > Manage your subscription: > https://lists.clusterlabs.org/mailman/listinfo/users > > ClusterLabs home: https://www.clusterlabs.org/ -- Regards, Reid Wahl (He/Him) Senior Software Engineer, Red Hat RHEL High Availability - Pacemaker _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
