Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1724310

Summary:	Implement acl_group in pacemaker
Product:	Red Hat Enterprise Linux 8	Reporter:	Ken Gaillot <kgaillot>
Component:	pacemaker	Assignee:	gchin
Status:	CLOSED ERRATA	QA Contact:	cluster-qe <cluster-qe>
Severity:	medium	Docs Contact:	Steven J. Levine <slevine>
Priority:	high
Version:	8.0	CC:	amemon, cfeist, c.handel, cluster-maint, cluster-qe, jruemker, kgaillot, lmanasko, m.alshafay, msmazova, sbradley, tojeline
Target Milestone:	pre-dev-freeze	Keywords:	FutureFeature, Reopened, Triaged
Target Release:	8.7	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	pacemaker-2.1.4-3.el8	Doc Type:	Enhancement
Doc Text:	.Pacemaker now supports specifying Access Control Lists (ACLs) for system groups Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would comform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. The `pcs acl group` command was present in earlier releases but had no effect. Now, users can now specify ACLs for a system group using this command.	Story Points:	---
Clone Of:	1253191	Environment:
Last Closed:	2022-11-08 09:42:25 UTC	Type:	Feature Request
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ken Gaillot 2019-06-26 18:13:57 UTC

+++ This bug was initially created as a clone of Bug #1253191 +++

Pacemaker supports acl_group syntax in its Configuration Information Base (CIB), and pcs supports configuring the syntax via its acl command, but pacemaker does not yet implement the feature.

---++ Steps to Reproduce

# create a group
groupadd rogrou
# create a user
useradd -G haclient,rogroup rouser
# enable acl
pcs acl enable
# define role
pcs acl role create readonly read xpath /cib
# add group
pcs acl group create rogroup readonly

---++ Actual results

[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied

---++ Expected results

resource status shown.

Comment 4 RHEL Program Management 2021-02-01 07:41:48 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Comment 5 Ken Gaillot 2021-02-01 14:56:31 UTC

(In reply to RHEL Program Management from comment #4)
> After evaluating this issue, there are no plans to address it further or fix
> it in an upcoming release.  Therefore, it is being closed.  If plans change
> such that this issue will be fixed in an upcoming release, then the bug can
> be reopened.

This is still a priority, but we do not yet know when developer time will become available for it. Once we know what release the fix will be in, we will reopen this.

Comment 7 Ken Gaillot 2022-06-27 19:10:43 UTC

Fixed in upstream main branch as of commit 1bb7fda60

Comment 11 Markéta Smazová 2022-08-08 15:45:46 UTC

Before fix:
-----------

>   [root@virt-032 ~]# rpm -q pacemaker
>   pacemaker-2.1.2-4.el8.x86_64

>   [root@virt-032 ~]# pcs resource create dummy ocf:pacemaker:Dummy
>   
>   [root@virt-032 ~]# pcs status
>   Cluster name: STSRHTS28411
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-034 (version 2.1.2-4.el8-ada5c3b36e2) - partition with quorum
>     * Last updated: Mon Aug  8 17:30:21 2022
>     * Last change:  Mon Aug  8 17:30:15 2022 by root via cibadmin on virt-032
>     * 3 nodes configured
>     * 4 resource instances configured

>   Node List:
>     * Online: [ virt-032 virt-033 virt-034 ]

>   Full List of Resources:
>     * fence-virt-032	(stonith:fence_xvm):	 Started virt-032
>     * fence-virt-033	(stonith:fence_xvm):	 Started virt-033
>     * fence-virt-034	(stonith:fence_xvm):	 Started virt-034
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-032

>   Daemon Status:
>     corosync: active/disabled
>     pacemaker: active/disabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-032 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-032 ~]# useradd -G haclient,test_group test_user
>   [root@virt-032 ~]# pcs acl enable

Create role:
>   [root@virt-032 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-032 ~]# pcs acl group create test_group readonly
>   [root@virt-032 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Login as a “test_user”:
>   [root@virt-032 ~]# su test_user

>   [test_user@virt-032 root]$ pcs acl
>   Error: unable to get crm_config
>   Call cib_query failed (-13): Permission denied

>   [test_user@virt-032 root]$ pcs resource
>   Error: unable to get cluster status from crm_mon
>   crm_mon: Connection to cluster failed: Permission denied


After fix:
----------

>   [root@virt-024 ~]# rpm -q pacemaker
>   pacemaker-2.1.4-4.el8.x86_64

>   [root@virt-024 ~]# pcs status
>   Cluster name: STSRHTS15483
>   Cluster Summary:
>     * Stack: corosync
>     * Current DC: virt-024 (version 2.1.4-4.el8-dc6eb4362e) - partition with quorum
>     * Last updated: Wed Aug  3 10:16:56 2022
>     * Last change:  Tue Aug  2 15:46:25 2022 by root via cibadmin on virt-024
>     * 2 nodes configured
>     * 2 resource instances configured

>   Node List:
>     * Online: [ virt-024 virt-025 ]

>   Full List of Resources:
>     * fence-virt-024	(stonith:fence_xvm):	 Started virt-024
>     * fence-virt-025	(stonith:fence_xvm):	 Started virt-025

>   Daemon Status:
>     corosync: active/enabled
>     pacemaker: active/enabled
>     pcsd: active/enabled

Create a group “test_group”:
>   [root@virt-024 ~]# groupadd test_group

Create a user “test_user” and add it to the group, enable acl:
>   [root@virt-024 ~]# useradd -G haclient,test_group test_user
>   [root@virt-024 ~]# pcs acl enable

Create role:
>   [root@virt-024 ~]# pcs acl role create readonly read xpath /cib

Assign role to the “test_group”:
>   [root@virt-024 ~]# pcs acl group create test_group readonly
>   [root@virt-024 ~]# pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

Create resource:
>   [root@virt-024 ~]# pcs resource create dummy ocf:pacemaker:Dummy

Login as a “test_user”:
>   [root@virt-024 ~]# su test_user

>   [test_user@virt-024 root]$ pcs acl
>   ACLs are enabled

>   Group: test_group
>     Roles: readonly
>   Role: readonly
>     Permission: read xpath /cib (readonly-read)

>   [test_user@virt-024 root]$ pcs resource
>     * dummy	(ocf::pacemaker:Dummy):	 Started virt-024


marking verified in pacemaker-2.1.4-4.el8

Comment 19 errata-xmlrpc 2022-11-08 09:42:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7573