Allow Local User to Gives Read/Write Access to the Cluster Configuration.

Today In this article We will see how to gives full read/write access to the cluster configuration to local user. In RHEL 7/centos7 Cluster, By default the  root user is a member of the group “haclient” and has full read/write access to the cluster configuration.

We can use the pcs acl command to set permissions for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).

Steps for provides the read-only access to a local user

In our demonstration, we are using “anil” user provide read-only access and “gaurav”  user provide write-access.

1) Add the local user to the group haclient.

Using following command, user anil will be a member of the group haclient.

# adduser anil
#passwd anil
Changing password for user rouser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
# usermod -a -G haclient anil
# cat /etc/group | grep haclient
haclient:x:189:anil
#

2) Enable the Pacemaker ACLs.

The enable-acl command cluster property is used for enable Pacemaker ACLs,refer below command.

#pcs property set enable-acl=true --force

3) Create a role.

Using following command you can create a role named read-only with read-only permissions for the cib.

#pcs acl role create read-only description="Read access to cluster" read xpath /cib

4) Assign the read-only role to local user.

Using following command, Create the user anil in the pcs ACL system and assign that user the read-only role.

#pcs acl user create anil read-only

To view the current ACLs, following command used;

#pcs acl
ACLs are enabled
User: anil
  Roles: read-only
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)

Now Time to check the read-only access to anil.

#su - anil
Last login: Sat Apr  1 04:42:22 EDT 2017 on pts/0
$  pcs status
Cluster name: ACL_cluster
Please authenticate yourself to the local pcsd
Username: anil
Password:
localhost: Authorized

Stack: corosync
Current DC: node1-server (version 1.1.15-11.el7-e174ec8) - partition with quorum
Last updated: Sat Apr  1 04:43:27 2017          Last change: Sat Apr  1 04:41:25 2017 by root via cibadmin on node1-server
2 nodes and 1 resource configured
Online: [ node1-server node2-server ]
Full list of resources:

 virtual_ip     (ocf::heartbeat:IPaddr2):       Started node1-server

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

Now try to move the resource to other cluster node;

$ pcs resource move virtual_ip node2-server
Error: error moving/banning/clearing resource
Error performing operation: Permission denied
$

Steps for provides the Write access to a local user

1) Add the local user to the group haclient.

We are using “gaurav” (provide write access) as a local user. Add the gaurav user to the group haclient, using following command.

# adduser gaurav
# passwd gaurav
Changing password for user gaurav.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
# usermod -a -G haclient gaurav

2) Enable the Pacemaker ACLs.

The “enable-acl” command cluster property is used for enable Pacemaker ACLs,refer below command.

#pcs property set enable-acl=true --force

Note: For the Procedure to provides the Write access to a local user, the above two steps are similar with the Procedure of read-only access.

3) Create a role.

Using following command, You can create a role named write-access with write permissions for the cib.

#pcs acl role create write-access description="Full access to cluster" write xpath /cib

4) Assign the write-access role to local user.

Using following command, Create the user gaurav in the pcs ACL system and assign that user the write-access role.

#pcs acl user create gaurav write-access

View the current ACLs,

# pcs acl
ACLs are enabled

User: anil
  Roles: read-only
User: gaurav
  Roles: write-access
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
Role: write-access
  Description: Full access to cluster
  Permission: read xpath /cib (write-access-read)

Now try to move the resource to other cluster node using gaurav user;

#su - gaurav
$ pcs resource move virtual_ip node2-server
$ pcs resource show
 virtual_ip     (ocf::heartbeat:IPaddr2):       Started node2-server
$

Read Also:

Examples Using PCS Command on Linux- Part 1

Examples Using PCS Command on Linux- Part 2

Hope this post will help Linux/Unix beginners. Please share you feedback and Comments. Stay tune for more updates with ittroubleshooter.in …!!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz