Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.3. Setting User Permissions

By default, the root user and any user who is a member of the group haclient has full read/write access to the cluster configuration. As of Red Hat Enterprise Linux 6.6, you can use the pcs acl command to set permission for local users to allow read-only or read-write access to the cluster configuration by using access control lists (ACLs).
Setting permissions for local users is a two-step process:
  1. Execute the pcs acl role create... command to create a role which defines the permissions for that role.
  2. Assign the role you created to a user with the pcs acl user create command.
The following example procedure provides read-only access for a cluster configuration to a local user named rouser.
  1. This procedure requires that the user rouser exists on the local system and that the user rouser is a member of the group haclient. 
    # adduser rouser
# usermod -a -G haclient rouser
  2. Enable Pacemaker ACLs with the enable-acl cluster property. 
    # pcs property set enable-acl=true --force
  3. Create a role named read-only with read-only permissions for the cib. 
    # pcs acl role create read-only description="Read access to cluster" read xpath /cib
  4. Create the user rouser in the pcs ACL system and assign that user the read-only role. 
    # pcs acl user create rouser read-only
  5. View the current ACLs. 
    # pcs acl
User: rouser
  Roles: read-only
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
The following example procedure provides write access for a cluster configuration to a local user named wuser.
  1. This procedure requires that the user wuser exists on the local system and that the user wuser is a member of the group haclient. 
    # adduser wuser
# usermod -a -G haclient wuser
  2. Enable Pacemaker ACLs with the enable-acl cluster property. 
    # pcs property set enable-acl=true --force
  3. Create a role named write-access with write permissions for the cib. 
    # pcs acl role create write-access description="Full access" write xpath /cib
  4. Create the user wuser in the pcs ACL system and assign that user the write-access role. 
    # pcs acl user create wuser write-access
  5. View the current ACLs. 
    # pcs acl
User: rouser
  Roles: read-only
User: wuser
  Roles: write-access
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
Role: write-access
  Description: Full Access
  Permission: write xpath /cib (write-access-write)
For further information about cluster ACLs, see the help screen for the pcs acl command.