3.3. Setting User Permissions
By default, the root user and any user who is a member of the group
haclient
has full read/write access to the cluster configuration. As of Red Hat Enterprise Linux 6.6, you can use the pcs acl
command to set permission for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).
Setting permissions for local users is a two-step process:
- Execute the
pcs acl role create...
command to create a role which defines the permissions for that role. - Assign the role you created to a user with the
pcs acl user create
command.
The following example procedure provides read-only access for a cluster configuration to a local user named
rouser
.
- This procedure requires that the user
rouser
exists on the local system and that the userrouser
is a member of the grouphaclient
.#
adduser rouser
#usermod -a -G haclient rouser
- Enable Pacemaker ACLs with the
enable-acl
cluster property.#
pcs property set enable-acl=true --force
- Create a role named
read-only
with read-only permissions for the cib.#
pcs acl role create read-only description="Read access to cluster" read xpath /cib
- Create the user
rouser
in the pcs ACL system and assign that user theread-only
role.#
pcs acl user create rouser read-only
- View the current ACLs.
#
pcs acl
User: rouser Roles: read-only Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read)
The following example procedure provides write access for a cluster configuration to a local user named
wuser
.
- This procedure requires that the user
wuser
exists on the local system and that the userwuser
is a member of the grouphaclient
.#
adduser wuser
#usermod -a -G haclient wuser
- Enable Pacemaker ACLs with the
enable-acl
cluster property.#
pcs property set enable-acl=true --force
- Create a role named
write-access
with write permissions for the cib.#
pcs acl role create write-access description="Full access" write xpath /cib
- Create the user
wuser
in the pcs ACL system and assign that user thewrite-access
role.#
pcs acl user create wuser write-access
- View the current ACLs.
#
pcs acl
User: rouser Roles: read-only User: wuser Roles: write-access Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read) Role: write-access Description: Full Access Permission: write xpath /cib (write-access-write)
For further information about cluster ACLs, see the help screen for the
pcs acl
command.