4.5. Setting User Permissions
You can grant permission for specific users other than user
hacluster
to manage the cluster. There are two sets of permissions that you can grant to individual users:
- Permissions that allow individual users to manage the cluster through the Web UI and to run
pcs
commands that connect to nodes over a network, as described in Section 4.5.1, “Setting Permissions for Node Access Over a Network”. Commands that connect to nodes over a network include commands to set up a cluster, or to add or remove nodes from a cluster. - Permissions for local users to allow read-only or read-write access to the cluster configuration, as described in Section 4.5.2, “Setting Local Permissions Using ACLs”. Commands that do not require connecting over a network include commands that edit the cluster configuration, such as those that create resources and configure constraints.
In situations where both sets of permissions have been assigned, the permissions for commands that connect over a network are applied first, and then permissions for editing the cluster configuration on the local node are applied. Most
pcs
commands do not require network access and in those cases the network permissions will not apply.
4.5.1. Setting Permissions for Node Access Over a Network
To grant permission for specific users to manage the cluster through the Web UI and to run
pcs
commands that connect to nodes over a network, add those users to the group haclient
. You can then use the Web UI to grant permissions for those users, as described in Section 2.2.2, “Setting Cluster Management Permissions”.
4.5.2. Setting Local Permissions Using ACLs
As of Red Hat Enterprise Linux 7.1, you can use the
pcs acl
command to set permissions for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs). You can also configure ACLs using the pcsd
Web UI, as described in Section 2.3.4, “Configuring ACLs”. By default, the root user and any user who is a member of the group haclient
has full local read/write access to the cluster configuration.
Setting permissions for local users is a two step process:
- Execute the
pcs acl role create...
command to create a role which defines the permissions for that role. - Assign the role you created to a user with the
pcs acl user create
command.
The following example procedure provides read-only access for a cluster configuration to a local user named
rouser
.
- This procedure requires that the user
rouser
exists on the local system and that the userrouser
is a member of the grouphaclient
.#
adduser rouser
#usermod -a -G haclient rouser
- Enable Pacemaker ACLs with the
enable-acl
cluster property.#
pcs property set enable-acl=true --force
- Create a role named
read-only
with read-only permissions for the cib.#
pcs acl role create read-only description="Read access to cluster" read xpath /cib
- Create the user
rouser
in the pcs ACL system and assign that user theread-only
role.#
pcs acl user create rouser read-only
- View the current ACLs.
#
pcs acl
User: rouser Roles: read-only Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read)
The following example procedure provides write access for a cluster configuration to a local user named
wuser
.
- This procedure requires that the user
wuser
exists on the local system and that the userwuser
is a member of the grouphaclient
.#
adduser wuser
#usermod -a -G haclient wuser
- Enable Pacemaker ACLs with the
enable-acl
cluster property.#
pcs property set enable-acl=true --force
- Create a role named
write-access
with write permissions for the cib.#
pcs acl role create write-access description="Full access" write xpath /cib
- Create the user
wuser
in the pcs ACL system and assign that user thewrite-access
role.#
pcs acl user create wuser write-access
- View the current ACLs.
#
pcs acl
User: rouser Roles: read-only User: wuser Roles: write-access Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read) Role: write-access Description: Full Access Permission: write xpath /cib (write-access-write)
For further information about cluster ACLs, see the help screen for the
pcs acl
command.