Red Hat Bugzilla – Bug 1253191
pacemaker ACL definitions using PAM groups
Last modified: 2018-05-17 15:45:23 EDT
---++ Description of problem
unable to use PAM groups to define Access Control Lists in pacemaker
---++ Version-Release number of selected component (if applicable)
---++ How reproducible
---++ Steps to Reproduce
# create a group
# create a user
useradd -G haclient,rogroup rouser
# uid=4101(rouser) gid=4101(rouser)
# enable acl
pcs acl enable
# define role
pcs acl role create readonly read xpath /cib
# add group
pcs acl group create rogroup readonly
# ACLs are enabled
# Group: rogroup
# Roles: readonly
# Role: readonly
# Permission: read xpath /cib (readonly-read)
---++ Actual results
[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied
---++ Expected results
resource status shown.
Directly assigning roles to the user works (pcs acl user create rouser readonly), but groups should be used as multiple users need the same permissions.
Looks like pacemaker issue to me:
1. pcs sets ACLs in the CIB just fine
2. I found "acl_group" in pacemaker sources only in xml/acls-2.0.rng and include/crm/msg_xml.h: # define XML_ACL_TAG_GROUP "acl_group", but XML_ACL_TAG_GROUP is not used anywhere as far as I can see (searching through upstream sources commit e54e3c151764aed9c423d9be2f144bdc35ecda26).
This was always planned, could have sworn I implemented it.
No idea where it went, perhaps we were waiting for the group info to be exposed in libqb?
Capacity constrained, bumping to 7.4
This will not be ready in the 7.4 timeframe.
Due to time constraints, this will not make 7.5