Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Some users have expressed interest in restricting the operations that can be done via a Pacemaker Remote node's command line. For example, disallowing root on a Pacemaker Remote node from running stonith_admin to fence a cluster node.
Pacemaker Remote nodes have access, via a proxy, to four Pacemaker APIs: crmd, stonithd, attrd, and the CIB. These APIs can be used by Pacemaker Remote itself, by resource agents for resources running on the Pacemaker Remote node, and by command-line tools run on the Pacemaker Remote command line.
The CIB already supports Access Control Lists (ACLs). For Pacemaker Remote nodes, access is restricted by the node name, rather than by the name of a user account on the node.
The new feature would support options to control the degree of crmd/stonithd/attrd API access allowed to a particular Pacemaker Remote node. This would likely take the form of a new "remote-*" meta-attribute for guest node resource agents, and a new parameter for the ocf:pacemaker:remote resource agent.
The new options would take a value indicating the restrictiveness, from fully open (the default) to only allowing the minimal access needed for the node to function (such as sending shutdown requests to the crmd). In between might be other levels, such as allowing the node to make requests regarding itself (such as setting node attributes for itself, or requesting fencing of itself), but not regarding other nodes.
Implementation-wise, the remote proxy should add the restrictiveness level to each proxied API request, and each daemon can enforce its own interpretation of that level to its API.
Comment 9RHEL Program Management
2021-02-24 07:30:27 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.