Bug 1054490 - RFE: Users & group functionality in pcs
Summary: RFE: Users & group functionality in pcs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Chris Feist
QA Contact: Cluster QE
URL:
Whiteboard:
Depends On:
Blocks: 1054627 1129862
TreeView+ depends on / blocked
 
Reported: 2014-01-16 22:56 UTC by Chris Feist
Modified: 2015-03-05 09:18 UTC (History)
5 users (show)

Fixed In Version: pcs-0.9.126-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1054627 1129862 (view as bug list)
Environment:
Last Closed: 2015-03-05 09:18:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1147989 None None None Never
Red Hat Product Errata RHBA-2015:0415 normal SHIPPED_LIVE pcs bug fix and enhancement update 2015-03-05 14:16:41 UTC

Internal Links: 1147989

Description Chris Feist 2014-01-16 22:56:30 UTC
Description of problem:
Need ability to control access by user and/or group

Comment 2 Chris Feist 2014-07-22 23:51:21 UTC
Committed upstream as ACLs here:

https://github.com/feist/pcs/commit/bb9eaeb1d12600eced6e679973ee1435ab265cff

Comment 4 Tomas Jelinek 2014-09-12 09:15:04 UTC
Before Fix:
[root@rh70-node1 ~]# rpm -q pcs
pcs-0.9.115-32.el7.x86_64
[root@rh70-node1 ~]# pcs acl

Usage: pcs [-f file] [-h] [commands]...
Control and configure pacemaker and corosync.
{output trimmed}


After Fix:
[root@rh70-node1 ~]# rpm -q pcs
pcs-0.9.126-1.el7.x86_64
[root@rh70-node1 pcs]# useradd user1
[root@rh70-node1 pcs]# usermod -aG haclient user1

[root@rh70-node2 pcs]# useradd user1
[root@rh70-node2 pcs]# usermod -aG haclient user1

[root@rh70-node1 pcs]# pcs property set enable-acl=true --force

[user1@rh70-node1 ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

[root@rh70-node1 ~]# pcs acl role create role1 read xpath /
[root@rh70-node1 ~]# pcs acl user create user1 role1
[root@rh70-node1 ~]# pcs acl
User: user1
  Roles: role1
Role: role1
  Permission: read xpath / (role1-read)

[user1@rh70-node1 ~]$ pcs resource
 dummy  (ocf::heartbeat:Dummy): Started
[user1@rh70-node1 ~]$ pcs resource create dummy1 Dummy
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied

Comment 5 Tomas Jelinek 2014-09-15 16:24:13 UTC
Fix for enabling acl without force committed upstream:

https://github.com/feist/pcs/commit/d97269518313e40b001396b762ef4cf2344ae340


test:

[root@rh70-node1 ~]# pcs property 
Cluster Properties:
 cluster-infrastructure: corosync
 dc-version: 1.1.10-29.el7-368c726
 last-lrm-refresh: 1400240032
[root@rh70-node1 ~]# pcs property set enable-acl=true
[root@rh70-node1 ~]# pcs property 
Cluster Properties:
 cluster-infrastructure: corosync
 dc-version: 1.1.10-29.el7-368c726
 enable-acl: true
 last-lrm-refresh: 1400240032

Comment 9 errata-xmlrpc 2015-03-05 09:18:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0415.html


Note You need to log in before you can comment on or make changes to this bug.