Este conteúdo não está disponível no idioma selecionado.
Chapter 20. Setting user permissions for a Pacemaker cluster
You can grant permission for specific users other than user hacluster
to manage a Pacemaker cluster. There are two sets of permissions that you can grant to individual users:
-
Permissions that allow individual users to manage the cluster through the Web UI and to run
pcs
commands that connect to nodes over a network. Commands that connect to nodes over a network include commands to set up a cluster, or to add or remove nodes from a cluster. - Permissions for local users to allow read-only or read-write access to the cluster configuration. Commands that do not require connecting over a network include commands that edit the cluster configuration, such as those that create resources and configure constraints.
In situations where both sets of permissions have been assigned, the permissions for commands that connect over a network are applied first, and then permissions for editing the cluster configuration on the local node are applied. Most pcs
commands do not require network access and in those cases the network permissions will not apply.
20.1. Setting permissions for node access over a network
To grant permission for specific users to manage the cluster through the Web UI and to run pcs
commands that connect to nodes over a network, add those users to the group haclient
. This must be done on every node in the cluster.
20.2. Setting local permissions using ACLs
You can use the pcs acl
command to set permissions for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).
By default, ACLs are not enabled. When ACLs are not enabled, any user who is a member of the group haclient
on all nodes has full local read/write access to the cluster configuration while users who are not members of haclient
have no access. When ACLs are enabled, however, even users who are members of the haclient
group have access only to what has been granted to that user by the ACLs. The root and hacluster
user accounts always have full access to the cluster configuration, even when ACLs are enabled.
Setting permissions for local users is a two step process:
-
Execute the
pcs acl role create…
command to create a role which defines the permissions for that role. -
Assign the role you created to a user with the
pcs acl user create
command. If you assign multiple roles to the same user, anydeny
permission takes precedence, thenwrite
, thenread
.
Procedure
The following example procedure provides read-only access for a cluster configuration to a local user named rouser
. Note that it is also possible to restrict access to certain portions of the configuration only.
It is important to perform this procedure as root or to save all of the configuration updates to a working file which you can then push to the active CIB when you are finished. Otherwise, you can lock yourself out of making any further changes. For information on saving configuration updates to a working file, see Saving a configuration change to a working file.
This procedure requires that the user
rouser
exists on the local system and that the userrouser
is a member of the grouphaclient
.# adduser rouser # usermod -a -G haclient rouser
Enable Pacemaker ACLs with the
pcs acl enable
command.# pcs acl enable
Create a role named
read-only
with read-only permissions for the cib.# pcs acl role create read-only description="Read access to cluster" read xpath /cib
Create the user
rouser
in the pcs ACL system and assign that user theread-only
role.# pcs acl user create rouser read-only
View the current ACLs.
# pcs acl User: rouser Roles: read-only Role: read-only Description: Read access to cluster Permission: read xpath /cib (read-only-read)
On each node where
rouser
will runpcs
commands, log in asrouser
and authenticate to the localpcsd
service. This is required in order to run certainpcs
commands, such aspcs status
, as the ACL user.[rouser ~]$ pcs client local-auth