3.3. Setting User Permissions

By default, the root user and any user who is a member of the group haclient has full read/write access to the cluster configuration. As of Red Hat Enterprise Linux 6.6, you can use the pcs acl command to set permission for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).
Setting permissions for local users is a two-step process:
  1. Execute the pcs acl role create... command to create a role which defines the permissions for that role.
  2. Assign the role you created to a user with the pcs acl user create command.
The following example procedure provides read-only access for a cluster configuration to a local user named rouser.
  1. This procedure requires that the user rouser exists on the local system and that the user rouser is a member of the group haclient.
    # adduser rouser
    # usermod -a -G haclient rouser
  2. Enable Pacemaker ACLs with the enable-acl cluster property.
    # pcs property set enable-acl=true --force 
  3. Create a role named read-only with read-only permissions for the cib.
    # pcs acl role create read-only description="Read access to cluster" read xpath /cib
  4. Create the user rouser in the pcs ACL system and assign that user the read-only role.
    # pcs acl user create rouser read-only
  5. View the current ACLs.
    # pcs acl
    User: rouser
      Roles: read-only
    Role: read-only
      Description: Read access to cluster
      Permission: read xpath /cib (read-only-read)
    
The following example procedure provides write access for a cluster configuration to a local user named wuser.
  1. This procedure requires that the user wuser exists on the local system and that the user wuser is a member of the group haclient.
    # adduser wuser
    # usermod -a -G haclient wuser
  2. Enable Pacemaker ACLs with the enable-acl cluster property.
    # pcs property set enable-acl=true --force 
  3. Create a role named write-access with write permissions for the cib.
    # pcs acl role create write-access description="Full access" write xpath /cib
  4. Create the user wuser in the pcs ACL system and assign that user the write-access role.
    # pcs acl user create wuser write-access
  5. View the current ACLs.
    # pcs acl
    User: rouser
      Roles: read-only
    User: wuser
      Roles: write-access
    Role: read-only
      Description: Read access to cluster
      Permission: read xpath /cib (read-only-read)
    Role: write-access
      Description: Full Access
      Permission: write xpath /cib (write-access-write)
    
For further information about cluster ACLs, see the help screen for the pcs acl command.