1724310 – Implement acl_group in pacemaker

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1724310 - Implement acl_group in pacemaker

Summary: Implement acl_group in pacemaker

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pacemaker
Sub Component:
Version:	8.0
Hardware:	All
OS:	All
Priority:	high
Severity:	medium
Target Milestone:	pre-dev-freeze
Target Release:	8.7
Assignee:	gchin
QA Contact:	cluster-qe@redhat.com
Docs Contact:	Steven J. Levine
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-26 18:13 UTC by Ken Gaillot
Modified:	2022-11-11 16:41 UTC (History)
CC List:	12 users (show)
Fixed In Version:	pacemaker-2.1.4-3.el8
Doc Type:	Enhancement
Doc Text:	.Pacemaker now supports specifying Access Control Lists (ACLs) for system groups Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would comform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. The `pcs acl group` command was present in earlier releases but had no effect. Now, users can now specify ACLs for a system group using this command.
Clone Of:	1253191
Environment:
Last Closed:	2022-11-08 09:42:25 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CLUSTERQE-5744	None	None	None	2022-05-23 16:03:31 UTC
Red Hat Knowledge Base (Solution)	6984758	None	None	None	2022-11-11 16:41:06 UTC
Red Hat Product Errata	RHBA-2022:7573	None	None	None	2022-11-08 09:42:42 UTC

Description Ken Gaillot 2019-06-26 18:13:57 UTC

+++ This bug was initially created as a clone of Bug #1253191 +++

Pacemaker supports acl_group syntax in its Configuration Information Base (CIB), and pcs supports configuring the syntax via its acl command, but pacemaker does not yet implement the feature.

---++ Steps to Reproduce

# create a group
groupadd rogrou
# create a user
useradd -G haclient,rogroup rouser
# enable acl
pcs acl enable
# define role
pcs acl role create readonly read xpath /cib
# add group
pcs acl group create rogroup readonly

---++ Actual results

[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

---++ Expected results

resource status shown.

Comment 4 RHEL Program Management 2021-02-01 07:41:48 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 5 Ken Gaillot 2021-02-01 14:56:31 UTC

(In reply to RHEL Program Management from comment #4)
> After evaluating this issue, there are no plans to address it further or fix
> it in an upcoming release.  Therefore, it is being closed.  If plans change
> such that this issue will be fixed in an upcoming release, then the bug can
> be reopened.

This is still a priority, but we do not yet know when developer time will become available for it. Once we know what release the fix will be in, we will reopen this.

Comment 7 Ken Gaillot 2022-06-27 19:10:43 UTC

Fixed in upstream main branch as of commit 1bb7fda60

Comment 11 Markéta Smazová 2022-08-08 15:45:46 UTC

Before fix:
-----------

>   [root@virt-032 ~]# rpm -q pacemaker
>   pacemaker-2.1.2-4.el8.x86_64

>   [root@virt-032 ~]# pcs resource create dummy ocf:pacemaker:Dummy
>   
>   [root@virt-032 ~]# pcs status
>   Cluster name: STSRHTS28411
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-034 (version 2.1.2-4.el8-ada5c3b36e2) - partition with quorum
>     * Last updated: Mon Aug  8 17:30:21 2022
>     * Last change:  Mon Aug  8 17:30:15 2022 by root via cibadmin on virt-032
>     * 3 nodes configured
>     * 4 resource instances configured

>   Node List:
>     * Online: [ virt-032 virt-033 virt-034 ]

>   Full List of Resources:
>     * fence-virt-032	(stonith:fence_xvm):	 Started virt-032
>     * fence-virt-033	(stonith:fence_xvm):	 Started virt-033
>     * fence-virt-034	(stonith:fence_xvm):	 Started virt-034
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-032

>   Daemon Status:
>     corosync: active/disabled
>     pacemaker: active/disabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-032 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-032 ~]# useradd -G haclient,test_group test_user
>   [root@virt-032 ~]# pcs acl enable

Create role:
>   [root@virt-032 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-032 ~]# pcs acl group create test_group readonly
>   [root@virt-032 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Login as a “test_user”:
>   [root@virt-032 ~]# su test_user

>   [test_user@virt-032 root]$ pcs acl
>   Error: unable to get crm_config
>   Call cib_query failed (-13): Permission denied

>   [test_user@virt-032 root]$ pcs resource
>   Error: unable to get cluster status from crm_mon
>   crm_mon: Connection to cluster failed: Permission denied


After fix:
----------

>   [root@virt-024 ~]# rpm -q pacemaker
>   pacemaker-2.1.4-4.el8.x86_64

>   [root@virt-024 ~]# pcs status
>   Cluster name: STSRHTS15483
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-024 (version 2.1.4-4.el8-dc6eb4362e) - partition with quorum
>     * Last updated: Wed Aug  3 10:16:56 2022
>     * Last change:  Tue Aug  2 15:46:25 2022 by root via cibadmin on virt-024
>     * 2 nodes configured
>     * 2 resource instances configured

>   Node List:
>     * Online: [ virt-024 virt-025 ]

>   Full List of Resources:
>     * fence-virt-024	(stonith:fence_xvm):	 Started virt-024
>     * fence-virt-025	(stonith:fence_xvm):	 Started virt-025

>   Daemon Status:
>     corosync: active/enabled
>     pacemaker: active/enabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-024 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-024 ~]# useradd -G haclient,test_group test_user
>   [root@virt-024 ~]# pcs acl enable

Create role:
>   [root@virt-024 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-024 ~]# pcs acl group create test_group readonly
>   [root@virt-024 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Create resource:
>   [root@virt-024 ~]# pcs resource create dummy ocf:pacemaker:Dummy

Login as a “test_user”:
>   [root@virt-024 ~]# su test_user

>   [test_user@virt-024 root]$ pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

>   [test_user@virt-024 root]$ pcs resource
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-024


marking verified in pacemaker-2.1.4-4.el8

Comment 19 errata-xmlrpc 2022-11-08 09:42:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7573

Note You need to log in before you can comment on or make changes to this bug.