Home
Products
Red Hat Enterprise Linux
6
Configuring the Red Hat High Availability Add-On with Pacemaker
3.3. Setting User Permissions

3.3. Setting User Permissions

By default, the root user and any user who is a member of the group haclient has full read/write access to the cluster configuration. As of Red Hat Enterprise Linux 6.6, you can use the pcs acl command to set permission for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).

Setting permissions for local users is a two-step process:

Execute the pcs acl role create... command to create a role which defines the permissions for that role.
Assign the role you created to a user with the pcs acl user create command.

The following example procedure provides read-only access for a cluster configuration to a local user named rouser.

This procedure requires that the user rouser exists on the local system and that the user rouser is a member of the group haclient.
```
adduser rouser
usermod -a -G haclient rouser
```
```
# adduser rouser
# usermod -a -G haclient rouser
```
Copy to Clipboard Toggle word wrap
Enable Pacemaker ACLs with the enable-acl cluster property.
```
pcs property set enable-acl=true --force
```
```
# pcs property set enable-acl=true --force 
```
Copy to Clipboard Toggle word wrap

Create a role named read-only with read-only permissions for the cib.

pcs acl role create read-only description="Read access to cluster" read xpath /cib

# pcs acl role create read-only description="Read access to cluster" read xpath /cib

Copy to Clipboard

Toggle word wrap

Create the user rouser in the pcs ACL system and assign that user the read-only role.
```
pcs acl user create rouser read-only
```
```
# pcs acl user create rouser read-only
```
Copy to Clipboard Toggle word wrap

View the current ACLs.

pcs acl

# pcs acl
User: rouser
  Roles: read-only
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)

Copy to Clipboard

Toggle word wrap

The following example procedure provides write access for a cluster configuration to a local user named wuser.

This procedure requires that the user wuser exists on the local system and that the user wuser is a member of the group haclient.
```
adduser wuser
usermod -a -G haclient wuser
```
```
# adduser wuser
# usermod -a -G haclient wuser
```
Copy to Clipboard Toggle word wrap
Enable Pacemaker ACLs with the enable-acl cluster property.
```
pcs property set enable-acl=true --force
```
```
# pcs property set enable-acl=true --force 
```
Copy to Clipboard Toggle word wrap

Create a role named write-access with write permissions for the cib.

pcs acl role create write-access description="Full access" write xpath /cib

# pcs acl role create write-access description="Full access" write xpath /cib

Copy to Clipboard

Toggle word wrap

Create the user wuser in the pcs ACL system and assign that user the write-access role.
```
pcs acl user create wuser write-access
```
```
# pcs acl user create wuser write-access
```
Copy to Clipboard Toggle word wrap

View the current ACLs.

pcs acl

# pcs acl
User: rouser
  Roles: read-only
User: wuser
  Roles: write-access
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
Role: write-access
  Description: Full Access
  Permission: write xpath /cib (write-access-write)

Copy to Clipboard

Toggle word wrap

For further information about cluster ACLs, see the help screen for the pcs acl command.

3.3. Setting User Permissions

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links