Hide Forgot
+++ This bug was initially created as a clone of Bug #1253191 +++ Pacemaker supports acl_group syntax in its Configuration Information Base (CIB), and pcs supports configuring the syntax via its acl command, but pacemaker does not yet implement the feature. ---++ Steps to Reproduce # create a group groupadd rogrou # create a user useradd -G haclient,rogroup rouser # enable acl pcs acl enable # define role pcs acl role create readonly read xpath /cib # add group pcs acl group create rogroup readonly ---++ Actual results [rouser@nodea ~]$ pcs resource Error: unable to get resource list from crm_resource Error performing operation: Permission denied ---++ Expected results resource status shown.
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
(In reply to RHEL Program Management from comment #4) > After evaluating this issue, there are no plans to address it further or fix > it in an upcoming release. Therefore, it is being closed. If plans change > such that this issue will be fixed in an upcoming release, then the bug can > be reopened. This is still a priority, but we do not yet know when developer time will become available for it. Once we know what release the fix will be in, we will reopen this.
Fixed in upstream main branch as of commit 1bb7fda60
Before fix: ----------- > [root@virt-032 ~]# rpm -q pacemaker > pacemaker-2.1.2-4.el8.x86_64 > [root@virt-032 ~]# pcs resource create dummy ocf:pacemaker:Dummy > > [root@virt-032 ~]# pcs status > Cluster name: STSRHTS28411 > Cluster Summary: > * Stack: corosync > * Current DC: virt-034 (version 2.1.2-4.el8-ada5c3b36e2) - partition with quorum > * Last updated: Mon Aug 8 17:30:21 2022 > * Last change: Mon Aug 8 17:30:15 2022 by root via cibadmin on virt-032 > * 3 nodes configured > * 4 resource instances configured > Node List: > * Online: [ virt-032 virt-033 virt-034 ] > Full List of Resources: > * fence-virt-032 (stonith:fence_xvm): Started virt-032 > * fence-virt-033 (stonith:fence_xvm): Started virt-033 > * fence-virt-034 (stonith:fence_xvm): Started virt-034 > * dummy (ocf::pacemaker:Dummy): Started virt-032 > Daemon Status: > corosync: active/disabled > pacemaker: active/disabled > pcsd: active/enabled Create a group “test_group”: > [root@virt-032 ~]# groupadd test_group Create a user “test_user” and add it to the group, enable acl: > [root@virt-032 ~]# useradd -G haclient,test_group test_user > [root@virt-032 ~]# pcs acl enable Create role: > [root@virt-032 ~]# pcs acl role create readonly read xpath /cib Assign role to the “test_group”: > [root@virt-032 ~]# pcs acl group create test_group readonly > [root@virt-032 ~]# pcs acl > ACLs are enabled > Group: test_group > Roles: readonly > Role: readonly > Permission: read xpath /cib (readonly-read) Login as a “test_user”: > [root@virt-032 ~]# su test_user > [test_user@virt-032 root]$ pcs acl > Error: unable to get crm_config > Call cib_query failed (-13): Permission denied > [test_user@virt-032 root]$ pcs resource > Error: unable to get cluster status from crm_mon > crm_mon: Connection to cluster failed: Permission denied After fix: ---------- > [root@virt-024 ~]# rpm -q pacemaker > pacemaker-2.1.4-4.el8.x86_64 > [root@virt-024 ~]# pcs status > Cluster name: STSRHTS15483 > Cluster Summary: > * Stack: corosync > * Current DC: virt-024 (version 2.1.4-4.el8-dc6eb4362e) - partition with quorum > * Last updated: Wed Aug 3 10:16:56 2022 > * Last change: Tue Aug 2 15:46:25 2022 by root via cibadmin on virt-024 > * 2 nodes configured > * 2 resource instances configured > Node List: > * Online: [ virt-024 virt-025 ] > Full List of Resources: > * fence-virt-024 (stonith:fence_xvm): Started virt-024 > * fence-virt-025 (stonith:fence_xvm): Started virt-025 > Daemon Status: > corosync: active/enabled > pacemaker: active/enabled > pcsd: active/enabled Create a group “test_group”: > [root@virt-024 ~]# groupadd test_group Create a user “test_user” and add it to the group, enable acl: > [root@virt-024 ~]# useradd -G haclient,test_group test_user > [root@virt-024 ~]# pcs acl enable Create role: > [root@virt-024 ~]# pcs acl role create readonly read xpath /cib Assign role to the “test_group”: > [root@virt-024 ~]# pcs acl group create test_group readonly > [root@virt-024 ~]# pcs acl > ACLs are enabled > Group: test_group > Roles: readonly > Role: readonly > Permission: read xpath /cib (readonly-read) Create resource: > [root@virt-024 ~]# pcs resource create dummy ocf:pacemaker:Dummy Login as a “test_user”: > [root@virt-024 ~]# su test_user > [test_user@virt-024 root]$ pcs acl > ACLs are enabled > Group: test_group > Roles: readonly > Role: readonly > Permission: read xpath /cib (readonly-read) > [test_user@virt-024 root]$ pcs resource > * dummy (ocf::pacemaker:Dummy): Started virt-024 marking verified in pacemaker-2.1.4-4.el8
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7573