Bug 1253191 - pacemaker ACL definitions using PAM groups
pacemaker ACL definitions using PAM groups
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pacemaker (Show other bugs)
Unspecified Unspecified
low Severity low
: rc
: 7.7
Assigned To: Jan Pokorný
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-08-13 04:01 EDT by Christoph
Modified: 2018-05-17 15:45 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3266091 None None None 2017-12-07 12:09 EST

  None (edit)
Description Christoph 2015-08-13 04:01:42 EDT
---++ Description of problem

unable to use PAM groups to define Access Control Lists in pacemaker

---++ Version-Release number of selected component (if applicable)


---++ How reproducible


---++ Steps to Reproduce

# create a group
groupadd rogrou
# create a user
useradd -G haclient,rogroup rouser
# verify
id rouser
# uid=4101(rouser) gid=4101(rouser) 
# groups=4101(rouser),189(haclient),10001(rogroup)

# enable acl
pcs acl enable
# define role
pcs acl role create readonly read xpath /cib
# add group
pcs acl group create rogroup readonly
# verify
pcs acl

# ACLs are enabled
# Group: rogroup
#   Roles: readonly
# Role: readonly
#   Permission: read xpath /cib (readonly-read)

---++ Actual results

[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

---++ Expected results

resource status shown.

---++ Notes

Directly assigning roles to the user works (pcs acl user create rouser readonly), but groups should be used as multiple users need the same permissions.
Comment 3 Tomas Jelinek 2015-11-13 05:07:24 EST
Looks like pacemaker issue to me:
1. pcs sets ACLs in the CIB just fine
2. I found "acl_group" in pacemaker sources only in xml/acls-2.0.rng and include/crm/msg_xml.h: # define XML_ACL_TAG_GROUP "acl_group", but XML_ACL_TAG_GROUP is not used anywhere as far as I can see (searching through upstream sources commit e54e3c151764aed9c423d9be2f144bdc35ecda26).
Comment 4 Andrew Beekhof 2015-11-25 18:29:33 EST
This was always planned, could have sworn I implemented it. 
No idea where it went, perhaps we were waiting for the group info to be exposed in libqb?
Comment 6 Ken Gaillot 2016-07-05 16:49:42 EDT
Capacity constrained, bumping to 7.4
Comment 7 Ken Gaillot 2017-03-06 18:29:52 EST
This will not be ready in the 7.4 timeframe.
Comment 8 Ken Gaillot 2017-10-09 13:44:37 EDT
Due to time constraints, this will not make 7.5

Note You need to log in before you can comment on or make changes to this bug.