On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl <nw...@redhat.com> wrote:
> On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl <nw...@redhat.com> wrote: > > > > On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos <robson2...@gmail.com> > wrote: > > > > > > good day! > > > I use the configuration to create an ACL, it is shown below. How can I > restrict access to the "pcs cluster stop" command for a user? > > > > I don't think you can. ACLs are implemented in Pacemaker; pcs simply > > provides an interface to manage them. > > > > `pcs cluster stop` basically runs `systemctl stop pacemaker; systemctl > > stop corosync`. So it doesn't interact with the Pacemaker ACLs. It > > just stops the service. > > In my experience only the root user can run `pcs cluster stop` > successfully anyway > Haven't actually tried it but in a setup running pcsd stop commands would run in the context of pcsd and so it might still be possible to trigger commands by a non root user which wouldn't work being called directly. Klaus > > > > > > useradd rouser -m -G haclient > > > useradd rwuser -m -G haclient > > > passwd rwuser > > > passwd rouser > > > pcs acl enable > > > pcs acl role create read-only description="Read access to cluster" > read xpath /cib > > > pcs acl role create write-access description="Full access" write xpath > /cib > > > pcs acl permission add write_config write xpath /cib/configuration > > > pcs acl permission add write_config write xpath > //crm_config//nvpair[@name='maintenance-mode'] > > > pcs acl permission add write_config write xpath > //nvpair[@name='maintenance'] > > > pcs acl permission add write_config write xpath //resources > > > pcs acl permission add write_config write xpath //constraints > > > pcs acl user create rouser read-only > > > pcs acl user create rwuser write-access > > > pcs acl role assign read-only to rouser > > > pcs acl role assign write_config to rwuser > > > > > > User: rouser > > > Roles: read-only > > > User: rwuser > > > Roles: write-access write_config > > > Role: read-only > > > Description: Read access to cluster > > > Permission: read xpath /cib (read-only-read) > > > Role: write-access > > > Description: Full access > > > Permission: write xpath /cib (write-access-write) > > > Role: write_config > > > Permission: write xpath /cib/configuration (write_config-write) > > > Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] > (write_config-write-1) > > > Permission: write xpath //nvpair[@name=maintenance] > (write_config-write-2) > > > Permission: write xpath //resources (write_config-write-3) > > > Permission: write xpath //constraints (write_config-write-4) > > > > > > su rouser > > > Username: rouser > > > Password: > > > localhost: Authorized > > > pcs cluster stop > > > Stopping Cluster (pacemaker)... > > > Stopping Cluster (corosync)... > > > > > > _______________________________________________ > > > Manage your subscription: > > > https://lists.clusterlabs.org/mailman/listinfo/users > > > > > > ClusterLabs home: https://www.clusterlabs.org/ > > > > > > > > -- > > Regards, > > > > Reid Wahl (He/Him) > > Senior Software Engineer, Red Hat > > RHEL High Availability - Pacemaker > > > > -- > Regards, > > Reid Wahl (He/Him) > Senior Software Engineer, Red Hat > RHEL High Availability - Pacemaker > > _______________________________________________ > Manage your subscription: > https://lists.clusterlabs.org/mailman/listinfo/users > > ClusterLabs home: https://www.clusterlabs.org/ >
_______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/