good day! I use the configuration to create an ACL, it is shown below. How can I restrict access to the "pcs cluster stop" command for a user?
useradd rouser -m -G haclient useradd rwuser -m -G haclient passwd rwuser passwd rouser pcs acl enable pcs acl role create read-only description="Read access to cluster" read xpath /cib pcs acl role create write-access description="Full access" write xpath /cib pcs acl permission add write_config write xpath /cib/configuration pcs acl permission add write_config write xpath //crm_config//nvpair[@name='maintenance-mode'] pcs acl permission add write_config write xpath //nvpair[@name='maintenance'] pcs acl permission add write_config write xpath //resources pcs acl permission add write_config write xpath //constraints pcs acl user create rouser read-only pcs acl user create rwuser write-access pcs acl role assign read-only to rouser pcs acl role assign write_config to rwuser User: rouser Roles: read-only User: rwuser Roles: write-access write_config Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read) Role: write-access Description: Full access Permission: write xpath /cib (write-access-write) Role: write_config Permission: write xpath /cib/configuration (write_config-write) Permission: write xpath //crm_config//nvpair[@name=maintenance-mode] (write_config-write-1) Permission: write xpath //nvpair[@name=maintenance] (write_config-write-2) Permission: write xpath //resources (write_config-write-3) Permission: write xpath //constraints (write_config-write-4) su rouser Username: rouser Password: localhost: Authorized pcs cluster stop Stopping Cluster (pacemaker)... Stopping Cluster (corosync)...
_______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
