이 콘텐츠는 선택한 언어로 제공되지 않습니다.

4.5. Setting User Permissions


You can grant permission for specific users other than user hacluster to manage the cluster. There are two sets of permissions that you can grant to individual users:
  • Permissions that allow individual users to manage the cluster through the Web UI and to run pcs commands that connect to nodes over a network, as described in Section 4.5.1, “Setting Permissions for Node Access Over a Network”. Commands that connect to nodes over a network include commands to set up a cluster, or to add or remove nodes from a cluster.
  • Permissions for local users to allow read-only or read-write access to the cluster configuration, as described in Section 4.5.2, “Setting Local Permissions Using ACLs”. Commands that do not require connecting over a network include commands that edit the cluster configuration, such as those that create resources and configure constraints.
In situations where both sets of permissions have been assigned, the permissions for commands that connect over a network are applied first, and then permissions for editing the cluster configuration on the local node are applied. Most pcs commands do not require network access and in those cases the network permissions will not apply.

4.5.1. Setting Permissions for Node Access Over a Network

To grant permission for specific users to manage the cluster through the Web UI and to run pcs commands that connect to nodes over a network, add those users to the group haclient. You can then use the Web UI to grant permissions for those users, as described in Section 2.2.2, “Setting Cluster Management Permissions”.

4.5.2. Setting Local Permissions Using ACLs

As of Red Hat Enterprise Linux 7.1, you can use the pcs acl command to set permissions for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs). You can also configure ACLs using the pcsd Web UI, as described in Section 2.3.4, “Configuring ACLs”. By default, the root user and any user who is a member of the group haclient has full local read/write access to the cluster configuration.
Setting permissions for local users is a two step process:
  1. Execute the pcs acl role create... command to create a role which defines the permissions for that role.
  2. Assign the role you created to a user with the pcs acl user create command.
The following example procedure provides read-only access for a cluster configuration to a local user named rouser.
  1. This procedure requires that the user rouser exists on the local system and that the user rouser is a member of the group haclient.
    # adduser rouser
    # usermod -a -G haclient rouser
  2. Enable Pacemaker ACLs with the enable-acl cluster property.
    # pcs property set enable-acl=true --force 
  3. Create a role named read-only with read-only permissions for the cib.
    # pcs acl role create read-only description="Read access to cluster" read xpath /cib
  4. Create the user rouser in the pcs ACL system and assign that user the read-only role.
    # pcs acl user create rouser read-only
  5. View the current ACLs.
    # pcs acl
    User: rouser
      Roles: read-only
    Role: read-only
      Description: Read access to cluster
      Permission: read xpath /cib (read-only-read)
    
The following example procedure provides write access for a cluster configuration to a local user named wuser.
  1. This procedure requires that the user wuser exists on the local system and that the user wuser is a member of the group haclient.
    # adduser wuser
    # usermod -a -G haclient wuser
  2. Enable Pacemaker ACLs with the enable-acl cluster property.
    # pcs property set enable-acl=true --force 
  3. Create a role named write-access with write permissions for the cib.
    # pcs acl role create write-access description="Full access" write xpath /cib
  4. Create the user wuser in the pcs ACL system and assign that user the write-access role.
    # pcs acl user create wuser write-access
  5. View the current ACLs.
    # pcs acl
    User: rouser
      Roles: read-only
    User: wuser
      Roles: write-access
    Role: read-only
      Description: Read access to cluster
      Permission: read xpath /cib (read-only-read)
    Role: write-access
      Description: Full Access
      Permission: write xpath /cib (write-access-write)
    
For further information about cluster ACLs, see the help screen for the pcs acl command.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.