Bug 1724310

Summary: Implement acl_group in pacemaker
Product: Red Hat Enterprise Linux 8 Reporter: Ken Gaillot <kgaillot>
Component: pacemakerAssignee: gchin
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact: Steven J. Levine <slevine>
Priority: high    
Version: 8.0CC: amemon, cfeist, c.handel, cluster-maint, cluster-qe, jruemker, kgaillot, lmanasko, m.alshafay, msmazova, sbradley, tojeline
Target Milestone: pre-dev-freezeKeywords: FutureFeature, Reopened, Triaged
Target Release: 8.7   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: pacemaker-2.1.4-3.el8 Doc Type: Enhancement
Doc Text:
.Pacemaker now supports specifying Access Control Lists (ACLs) for system groups Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would comform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. The `pcs acl group` command was present in earlier releases but had no effect. Now, users can now specify ACLs for a system group using this command.
Story Points: ---
Clone Of: 1253191 Environment:
Last Closed: 2022-11-08 09:42:25 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ken Gaillot 2019-06-26 18:13:57 UTC
+++ This bug was initially created as a clone of Bug #1253191 +++

Pacemaker supports acl_group syntax in its Configuration Information Base (CIB), and pcs supports configuring the syntax via its acl command, but pacemaker does not yet implement the feature.

---++ Steps to Reproduce

# create a group
groupadd rogrou
# create a user
useradd -G haclient,rogroup rouser
# enable acl
pcs acl enable
# define role
pcs acl role create readonly read xpath /cib
# add group
pcs acl group create rogroup readonly

---++ Actual results

[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

---++ Expected results

resource status shown.

Comment 4 RHEL Program Management 2021-02-01 07:41:48 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 5 Ken Gaillot 2021-02-01 14:56:31 UTC
(In reply to RHEL Program Management from comment #4)
> After evaluating this issue, there are no plans to address it further or fix
> it in an upcoming release.  Therefore, it is being closed.  If plans change
> such that this issue will be fixed in an upcoming release, then the bug can
> be reopened.

This is still a priority, but we do not yet know when developer time will become available for it. Once we know what release the fix will be in, we will reopen this.

Comment 7 Ken Gaillot 2022-06-27 19:10:43 UTC
Fixed in upstream main branch as of commit 1bb7fda60

Comment 11 Markéta Smazová 2022-08-08 15:45:46 UTC
Before fix:
-----------

>   [root@virt-032 ~]# rpm -q pacemaker
>   pacemaker-2.1.2-4.el8.x86_64

>   [root@virt-032 ~]# pcs resource create dummy ocf:pacemaker:Dummy
>   
>   [root@virt-032 ~]# pcs status
>   Cluster name: STSRHTS28411
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-034 (version 2.1.2-4.el8-ada5c3b36e2) - partition with quorum
>     * Last updated: Mon Aug  8 17:30:21 2022
>     * Last change:  Mon Aug  8 17:30:15 2022 by root via cibadmin on virt-032
>     * 3 nodes configured
>     * 4 resource instances configured

>   Node List:
>     * Online: [ virt-032 virt-033 virt-034 ]

>   Full List of Resources:
>     * fence-virt-032	(stonith:fence_xvm):	 Started virt-032
>     * fence-virt-033	(stonith:fence_xvm):	 Started virt-033
>     * fence-virt-034	(stonith:fence_xvm):	 Started virt-034
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-032

>   Daemon Status:
>     corosync: active/disabled
>     pacemaker: active/disabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-032 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-032 ~]# useradd -G haclient,test_group test_user
>   [root@virt-032 ~]# pcs acl enable

Create role:
>   [root@virt-032 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-032 ~]# pcs acl group create test_group readonly
>   [root@virt-032 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Login as a “test_user”:
>   [root@virt-032 ~]# su test_user

>   [test_user@virt-032 root]$ pcs acl
>   Error: unable to get crm_config
>   Call cib_query failed (-13): Permission denied

>   [test_user@virt-032 root]$ pcs resource
>   Error: unable to get cluster status from crm_mon
>   crm_mon: Connection to cluster failed: Permission denied


After fix:
----------

>   [root@virt-024 ~]# rpm -q pacemaker
>   pacemaker-2.1.4-4.el8.x86_64

>   [root@virt-024 ~]# pcs status
>   Cluster name: STSRHTS15483
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-024 (version 2.1.4-4.el8-dc6eb4362e) - partition with quorum
>     * Last updated: Wed Aug  3 10:16:56 2022
>     * Last change:  Tue Aug  2 15:46:25 2022 by root via cibadmin on virt-024
>     * 2 nodes configured
>     * 2 resource instances configured

>   Node List:
>     * Online: [ virt-024 virt-025 ]

>   Full List of Resources:
>     * fence-virt-024	(stonith:fence_xvm):	 Started virt-024
>     * fence-virt-025	(stonith:fence_xvm):	 Started virt-025

>   Daemon Status:
>     corosync: active/enabled
>     pacemaker: active/enabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-024 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-024 ~]# useradd -G haclient,test_group test_user
>   [root@virt-024 ~]# pcs acl enable

Create role:
>   [root@virt-024 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-024 ~]# pcs acl group create test_group readonly
>   [root@virt-024 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Create resource:
>   [root@virt-024 ~]# pcs resource create dummy ocf:pacemaker:Dummy

Login as a “test_user”:
>   [root@virt-024 ~]# su test_user

>   [test_user@virt-024 root]$ pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

>   [test_user@virt-024 root]$ pcs resource
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-024


marking verified in pacemaker-2.1.4-4.el8

Comment 19 errata-xmlrpc 2022-11-08 09:42:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7573