Hi Roberto!
On 10/13/23 10:13, Roberto Rodrigos wrote:
good day!
I use the configuration to create an ACL, it is shown below. How can I
restrict access to the "pcs cluster stop" command for a user?
There is way to restrict access to the `pcs cluster stop` command but you
need to change permission settings in pcs-web-ui. It cannot be done from
CLI.
Here is procedure:
1. create a system user and add it to the 'haclient' group
2. login as hacluster user in the pcs-web-ui on some cluster node
(https://hostname:2224/ui)
3. add existing cluster
4. go to the cluster settings and click on permissions tab
5. remove permissions for haclient group or restric access to "Read"
6. add "Read" permissions for your created user.
This will restrict access to the `pcs cluster stop` command but also to
other commands which do some changes over pcsd daemon.
Here is problably not the complete list of affected commands:
* pcs cluster destroy
* pcs cluster enable/disable
* pcs cluster node
* pcs cluster start/stop
* pcs cluster sync
* pcs pcsd sync-certificates
This will also restrict the user and haclient group from access to web
UI actions which change CIB configuration (e.g. managing resources) but
CLI commands working with the CIB configuration will still work (e.g
`pcs resource create`), so you need to use pacemaker ACLs for further
user restrictions.
useradd rouser -m -G haclient
useradd rwuser -m -G haclient
passwd rwuser
passwd rouser
pcs acl enable
pcs acl role create read-only description="Read access to cluster" read
xpath /cib
pcs acl role create write-access description="Full access" write xpath /cib
pcs acl permission add write_config write xpath /cib/configuration
pcs acl permission add write_config write xpath
//crm_config//nvpair[@name='maintenance-mode']
pcs acl permission add write_config write xpath
//nvpair[@name='maintenance']
pcs acl permission add write_config write xpath //resources
pcs acl permission add write_config write xpath //constraints
pcs acl user create rouser read-only
pcs acl user create rwuser write-access
pcs acl role assign read-only to rouser
pcs acl role assign write_config to rwuser
User: rouser
Roles: read-only
User: rwuser
Roles: write-access write_config
Role: read-only
Description: Read access to cluster
Permission: read xpath /cib (read-only-read)
Role: write-access
Description: Full access
Permission: write xpath /cib (write-access-write)
Role: write_config
Permission: write xpath /cib/configuration (write_config-write)
Permission: write xpath //crm_config//nvpair[@name=maintenance-mode]
(write_config-write-1)
Permission: write xpath //nvpair[@name=maintenance]
(write_config-write-2)
Permission: write xpath //resources (write_config-write-3)
Permission: write xpath //constraints (write_config-write-4)
su rouser
Username: rouser
Password:
localhost: Authorized
pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
Regards,
Miroslav
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
