Some users have expressed interest in restricting the operations that can be done via a Pacemaker Remote node's command line. For example, disallowing root on a Pacemaker Remote node from running stonith_admin to fence a cluster node.

Pacemaker Remote nodes have access, via a proxy, to four Pacemaker APIs: crmd, stonithd, attrd, and the CIB. These APIs can be used by Pacemaker Remote itself, by resource agents for resources running on the Pacemaker Remote node, and by command-line tools run on the Pacemaker Remote command line.

The CIB already supports Access Control Lists (ACLs). For Pacemaker Remote nodes, access is restricted by the node name, rather than by the name of a user account on the node.

The new feature would support options to control the degree of crmd/stonithd/attrd API access allowed to a particular Pacemaker Remote node. This would likely take the form of a new "remote-*" meta-attribute for guest node resource agents, and a new parameter for the ocf:pacemaker:remote resource agent.

The new options would take a value indicating the restrictiveness, from fully open (the default) to only allowing the minimal access needed for the node to function (such as sending shutdown requests to the crmd). In between might be other levels, such as allowing the node to make requests regarding itself (such as setting node attributes for itself, or requesting fencing of itself), but not regarding other nodes.

Implementation-wise, the remote proxy should add the restrictiveness level to each proxied API request, and each daemon can enforce its own interpretation of that level to its API.