Bug 2017312

DevTestResults:

[root@r8-node-01 ~]# rpm -q pcs
pcs-0.10.12-1.el8.x86_64

There is new tab "Permissions" in the cluster management page.
"Permissions" tab shows current permissions and you can create a new
permission for a user or a group with read/write/grant/full permissions.

AFTER:
======

[root@virt-011 ~]# rpm -q pcs
pcs-0.10.12-4.el8.x86_64


## Basic cluster setup

[root@virt-011 ~]# pcs status
Cluster name: STSRHTS29225
Cluster Summary:
  * Stack: corosync
  * Current DC: virt-012 (version 2.1.2-2.el8-ada5c3b36e2) - partition with quorum
  * Last updated: Mon Jan 31 10:16:18 2022
  * Last change:  Mon Jan 31 10:12:15 2022 by root via cibadmin on virt-011
  * 2 nodes configured
  * 6 resource instances configured

Node List:
  * Online: [ virt-011 virt-012 ]

Full List of Resources:
  * fence-virt-011	(stonith:fence_xvm):	 Started virt-011
  * fence-virt-012	(stonith:fence_xvm):	 Started virt-012
  * Clone Set: locking-clone [locking]:
    * Started: [ virt-011 virt-012 ]

Daemon Status:
  corosync: active/disabled
  pacemaker: active/disabled
  pcsd: active/enabled


## in web UI

- open new web UI (https://nodename:2224/ui)
- log in as hacluster (user with all permissions)
- Click 'Add existing cluster' button and proceed with the wizard
- Click on the added cluster

- Click on 'Permissions' tab in the menu
- List of current permission profiles is available
"Name Type Read Write Grant Full	
haclient group Allowed Allowed Allowed Disallowed"

Note: Help messages for each permission type yet to be added.
From console:
read - Allows to view cluster settings
write - Allows to modify cluster settings except permissions and ACLs
grant - Allows to modify cluster permissions and ACLs
full - Allows unrestricted access to a cluster including adding and removing nodes and access to keys and certificates
> This is not true, user with full permissions can not add nodes to cluster due to privilege escalation. New bz for updating the message was created: bz2049208

Note: user 'hacluster' has all rights, regardless of its presence in the 'haclient' group.
Note: To grant permission for newly created users to manage the cluster through the Web UI, the users need to be added in 'haclient' group. As there is already a default permission profile for haclient group, that allows read,write,grant, all users will automatically have these rights. To create specific rights for specific users that differs from haclient group, haclient permission profile needs to be limited and then new permission profiles for specific users created. For this test, haclient profile is limited to only read permission. 

- Click on the three dots menu within haclient profile
- Click Edit and set only Read permission
'Permission updated sucessfully'


Case 1: User with read-only rights
-----------------------------------

## Create new user in CLI, set its password and add it to haclient group (needs to be done on every cluster node)

[root@virt-011 ~]# useradd webuser
[root@virt-011 ~]# passwd webuser
Changing password for user webuser.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@virt-011 ~]# echo $?
0
[root@virt-011 ~]# usermod -a -G haclient webuser

> In this moment, user 'webuser' is part of 'haclient' group, that has its permission profile for read-only, thus user 'webuser' should not have any other rights.


- Login as 'webuser'
> OK: 'webuser' sees the cluster and its configuration (nodes/resources etc.)

- Trying to create new resource
> OK: 'webuser' can not create new resource:
"Communication error during task "create resource "s1""
A communication error occurred during the operation (details in the browser console). You can try to perform the operation again."
in console:
"Communication error while: create resource "s1":
Server returned http status: 403 ({"status":"permission_denied","status_msg":"Permission denied. Required permission level is write","report_list":[],"data":null})"

- Trying to edit permissions
> OK: 'webuser' doesn't see current permissions, nor he can not create one:
"Communication error while: load cluster permissions of cluster STSRHTS29225:
Server returned http status: 403 (Permission denied)"

- Trying to remove node from the cluster
> OK: 'webuser' can not remove node from the cluster:
"Danger alert:Task: remove node "virt-012" failed
{"status":"permission_denied","status_msg":"Permission denied. Required permission level is full","report_list":[],"data":null}
Details in the browser console."


Case 2: User with read and write rights
----------------------------------------

- Login as 'hacluster' (with all permissions)
- Click 'Create permission'
- name: 'webuser', type: user, allowed rights: read and write. Click 'Create permission'.
"Permission created sucessfully"

> Now user 'webuser' should have 'read' and 'write' rights, but not 'grant' and 'full' rights


- Login as 'webuser'
> OK: 'webuser' sees the cluster and its configuration (nodes/resources etc.)

- Trying to create new resource
> OK: 'webuser' can create new resource:
"Task "create resource "s1"" has been done successfully"

- Trying to edit permissions
- OK: 'webuser' doesn't see current permissions, nor he can not create one:
"Communication error while: load cluster permissions of cluster STSRHTS29225:
Server returned http status: 403 (Permission denied)"

- Trying to remove node from the cluster
> OK: 'webuser' can not remove node from the cluster:
"Danger alert:Task: remove node "virt-012" failed
{"status":"permission_denied","status_msg":"Permission denied. Required permission level is full","report_list":[],"data":null}
Details in the browser console."


Case 3: User with read, write and grant rights
-----------------------------------------------

- Login as 'hacluster' (with all permissions)
- Click at three dots menu within 'webuser' permission profile and click 'Edit'
- Add 'Grant' permission to current permission profile and click 'Update permission':
"Permission updated sucessfully"

> Now user 'webuser' should have 'read', 'write' and 'grant' rights, but not 'full' rights


- Login as 'webuser'
> OK: 'webuser' sees the cluster and its configuration (nodes/resources etc.)

- Trying to create new resource
> OK: 'webuser' can create new resource:
"Task "create resource "s2"" has been done successfully"

- Trying to edit permissions
> OK: 'webuser' can see current permissions and can create new permission profiles with read,write,grant permissions, but not with 'full' permissions. Tested also with 'Edit' option with current profiles:
"Permission create failed
Task: edit permission failed: Permission denied Only hacluster and users with Full permission can grant or revoke Full permission.. Details in the browser console."
- without the 'full' permission:
"Permission created sucessfully"

- Removing the newly created test profile - 'Remove' button under three dots menu
> OK: Permission profiles can be deleted without an issue: 
"Success alert:Permission removed"

- Trying to remove node from the cluster
> OK: 'webuser' can not remove node from the cluster:
"Danger alert:Task: remove node "virt-012" failed
{"status":"permission_denied","status_msg":"Permission denied. Required permission level is full","report_list":[],"data":null}
Details in the browser console."


Case 4: User with read, write, grant and full rights
-----------------------------------------------------

- Login as 'hacluster' (with all permissions)
- Click at three dots menu within 'webuser' permission profile and click 'Edit'
- Add 'Full' permission to current permission profile and click 'Update permission':
"Permission updated sucessfully"

- Login as 'webuser'
> OK: 'webuser' sees the cluster and its configuration (nodes/resources etc.)

- Trying to create new resource
> OK: 'webuser' can create new resource:
"Task "create resource "s3"" has been done successfully"

- Trying to edit permissions
> OK: 'webuser' can see current permissions and can create new permission profiles with read, write, grant and full permissions

- Trying to remove node from the cluster
> OK: 'webuser' can remove node from the cluster:
"Succesfully done: remove node "virt-012"

Messages from the backend

    INFO: Destroying cluster on hosts: 'virt-012'...
    INFO: virt-012: Successfully destroyed cluster
    INFO: Sending updated corosync.conf to nodes...
    INFO: virt-011: Succeeded
    INFO: virt-011: Corosync configuration reloaded"

- Trying to add the node back
"Node can not be added: Task: add node "virt-012": check that node is not in some cluster failed: Permission denied.. Details in the browser console."

> This is a correct behavior due to privilege escalation. A new bz for updating label for full permissions (as it now says that user with full permissions can add a node) was created: bz2049208


Case 5: Group rights
---------------------

- Create new group in CLI (on all cluster nodes)
[root@virt-012 ~]# groupadd webgroup
- add user 'webuser' to group 'webgroup' ('webuser' still needs to be part of the group 'haclient' to access web ui)
[root@virt-012 ~]# usermod -a -G webgroup webuser

- Delete user permission profile for 'webuser' in CLI
- Create permission profile for type group with name 'webgroup' and set specific rights

> OK: All four cases above was tried for group permission profile as well. The behavior stayed the same.


With newly created bz2049208, marking as VERIFIED for pcs-0.10.12-4.el8.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1978