On 10/16/23 12:16, Klaus Wenninger wrote:
On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl <nw...@redhat.com
<mailto:nw...@redhat.com>> wrote:
On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl <nw...@redhat.com
<mailto:nw...@redhat.com>> wrote:
>
> On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos
<robson2...@gmail.com <mailto:robson2...@gmail.com>> wrote:
> >
> > good day!
> > I use the configuration to create an ACL, it is shown below.
How can I restrict access to the "pcs cluster stop" command for a user?
>
> I don't think you can. ACLs are implemented in Pacemaker; pcs simply
> provides an interface to manage them.
>
> `pcs cluster stop` basically runs `systemctl stop pacemaker;
systemctl
> stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
> just stops the service.
In my experience only the root user can run `pcs cluster stop`
successfully anyway
Haven't actually tried it but in a setup running pcsd stop commands would
run in the context of pcsd and so it might still be possible to trigger
commands
by a non root user which wouldn't work being called directly.
Klaus
Every user in haclient group with default pcsd permissions for haclient
group can run such commands like `pcs cluster stop` except `pcs cluster
node add` after authentication to the local pcsd.
[user@hostname ~]$ groups
user haclient
[user@hostname ~]$ pcs cluster stop
Warning: Unable to read the known-hosts file: No such file or directory:
'/home/user/.pcs/known-hosts'
Error: Unable to authenticate against the local pcsd. Run the same
command as root or authenticate yourself to the local pcsd using command
'pcs client local-auth'
[user@hostname ~]$ pcs client local-auth -u user
Password:
localhost: Authorized
[user@hostname ~]$ pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...
>
> > useradd rouser -m -G haclient
> > useradd rwuser -m -G haclient
> > passwd rwuser
> > passwd rouser
> > pcs acl enable
> > pcs acl role create read-only description="Read access to
cluster" read xpath /cib
> > pcs acl role create write-access description="Full access"
write xpath /cib
> > pcs acl permission add write_config write xpath /cib/configuration
> > pcs acl permission add write_config write xpath
//crm_config//nvpair[@name='maintenance-mode']
> > pcs acl permission add write_config write xpath
//nvpair[@name='maintenance']
> > pcs acl permission add write_config write xpath //resources
> > pcs acl permission add write_config write xpath //constraints
> > pcs acl user create rouser read-only
> > pcs acl user create rwuser write-access
> > pcs acl role assign read-only to rouser
> > pcs acl role assign write_config to rwuser
> >
> > User: rouser
> > Roles: read-only
> > User: rwuser
> > Roles: write-access write_config
> > Role: read-only
> > Description: Read access to cluster
> > Permission: read xpath /cib (read-only-read)
> > Role: write-access
> > Description: Full access
> > Permission: write xpath /cib (write-access-write)
> > Role: write_config
> > Permission: write xpath /cib/configuration (write_config-write)
> > Permission: write xpath
//crm_config//nvpair[@name=maintenance-mode] (write_config-write-1)
> > Permission: write xpath //nvpair[@name=maintenance]
(write_config-write-2)
> > Permission: write xpath //resources (write_config-write-3)
> > Permission: write xpath //constraints (write_config-write-4)
> >
> > su rouser
> > Username: rouser
> > Password:
> > localhost: Authorized
> > pcs cluster stop
> > Stopping Cluster (pacemaker)...
> > Stopping Cluster (corosync)...
> >
> > _______________________________________________
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
<https://lists.clusterlabs.org/mailman/listinfo/users>
> >
> > ClusterLabs home: https://www.clusterlabs.org/
<https://www.clusterlabs.org/>
>
>
>
> --
> Regards,
>
> Reid Wahl (He/Him)
> Senior Software Engineer, Red Hat
> RHEL High Availability - Pacemaker
--
Regards,
Reid Wahl (He/Him)
Senior Software Engineer, Red Hat
RHEL High Availability - Pacemaker
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
<https://lists.clusterlabs.org/mailman/listinfo/users>
ClusterLabs home: https://www.clusterlabs.org/
<https://www.clusterlabs.org/>
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
