Bug 1392632

Summary: Pacemaker Remote nodes should have varying levels of trust
Product: Red Hat Enterprise Linux 8 Reporter: Ken Gaillot <kgaillot>
Component: pacemakerAssignee: Ken Gaillot <kgaillot>
Status: CLOSED WONTFIX QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 8.0CC: cluster-maint, mnovacek, rmarigny, sbradley
Target Milestone: pre-dev-freezeKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 07:30:27 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ken Gaillot 2016-11-07 23:21:27 UTC 
Some users have expressed interest in restricting the operations that can be done via a Pacemaker Remote node's command line. For example, disallowing root on a Pacemaker Remote node from running stonith_admin to fence a cluster node.

Pacemaker Remote nodes have access, via a proxy, to four Pacemaker APIs: crmd, stonithd, attrd, and the CIB. These APIs can be used by Pacemaker Remote itself, by resource agents for resources running on the Pacemaker Remote node, and by command-line tools run on the Pacemaker Remote command line.

The CIB already supports Access Control Lists (ACLs). For Pacemaker Remote nodes, access is restricted by the node name, rather than by the name of a user account on the node.

The new feature would support options to control the degree of crmd/stonithd/attrd API access allowed to a particular Pacemaker Remote node. This would likely take the form of a new "remote-*" meta-attribute for guest node resource agents, and a new parameter for the ocf:pacemaker:remote resource agent.

The new options would take a value indicating the restrictiveness, from fully open (the default) to only allowing the minimal access needed for the node to function (such as sending shutdown requests to the crmd). In between might be other levels, such as allowing the node to make requests regarding itself (such as setting node attributes for itself, or requesting fencing of itself), but not regarding other nodes.

Implementation-wise, the remote proxy should add the restrictiveness level to each proxied API request, and each daemon can enforce its own interpretation of that level to its API.
Comment 1 Ken Gaillot 2017-01-10 22:23:24 UTC 
This will not be addressed in the 7.4 timeframe
Comment 4 Ken Gaillot 2017-10-09 17:29:14 UTC 
Due to time constraints, this will not make 7.5
Comment 9 RHEL Program Management 2021-02-24 07:30:27 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.