Contents
Abstract
The various tools for administrating clusters, like the crm shell,
Hawk, or the Pacemaker GUI, can be used by root or any user in the
group haclient. By default,
these users have full read-write access. In some cases, you may want to
limit access or assign more fine-grained access rights.
Optional Access control lists (ACLs) allow you to
define rules for users in the
haclient group to allow or
deny access to any part of the cluster configuration. Typically, sets or
rules are combined into roles. Then you can assign users to a role that
fits their tasks.
Before you start using ACLs on your cluster, make sure the following conditions are fulfilled:
The same users must be available on all nodes in your cluster. Use NIS to ensure this.
All users must belong to the
haclient group.
All users have to run the crm shell by its absolute path
/usr/sbin/crm.
Note the following points:
ACLs are an optional feature. If the ACL feature is disabled,
root and users belonging to the
haclient group have full
read/write access to the cluster configuration.
If you want to enable the ACL feature, use this command:
crm configure property enable-acl=true
If non-privileged users want to run the crm shell, they have to change
the PATH variable and extend it with
/usr/sbin.
To use ACLs you need some knowledge about XPath. XPath is a language for selecting nodes in an XML document. Refer to http://en.wikipedia.org/wiki/XPath or look into the specification at http://www.w3.org/TR/xpath/.
An ACL role is a set of rules which describe access rights to CIB. Rules consist of:
access rights to read, write, or deny, and
a specification where to apply the rule. This specification can be a tag, an id reference, a combination of both, or an XPath expression.
In most cases, it is more convenient to bundle ACLs into roles and assign a role to a user. However, it is possible to give a user certain access rules without defining any roles.
There are two methods to manage ACL rules:
Via an XPath Expression. You need to know the structure of the underlying XML to create ACL rules.
Via a Tag and/or Ref Abbreviation. Create a shorthand syntax and ACL rules apply to the matched objects.
To manage ACL rules via XPath, you need to know the structure of the underlying XML. Retrieve the structure with the following command:
crm configure show xml
The XML structure can also be displayed in the Pacemaker GUI by selecting +. Regardless of the tool, the output is your cluster configuration in XML (see Example 10.1, “Excerpt of a Cluster Configuration in XML”).
Example 10.1. Excerpt of a Cluster Configuration in XML¶
<cib admin_epoch="0"
cib-last-written="Wed Nov 2 16:42:51 2011"
crm_feature_set="3.0.5"
dc-uuid="stuttgart"
epoch="13" have-quorum="1" num_updates="42"
update-client="cibadmin"
update-origin="nuernberg"
update-user="root"validate-with="pacemaker-1.2">
<configuration>
<crm_config>
<cluster_property_set id="cib-bootstrap-options">
<nvpair id="cib-bootstrap-options-stonith-enabled"
name="stonith-enabled" value="true"/>
</cluster_property_set>
</crm_config>
<nodes>
<node id="stuttgart" type="normal" uname="stuttgart"/>
<node id="nuernberg" type="normal" uname="nuernberg"/>
</nodes>
<resources> ... </resources>
<constraints/>
<rsc_defaults> ... </rsc_defaults>
<op_defaults> ... </op_defaults>
<configuration>
</cib>
With the XPath language you can locate nodes in this XML document. For
example, to select the root node (cib) use the XPath
expression /cib. To locate the global cluster
configurations, use the XPath
/cib/configuration/crm_config.
The following table collects the access type and the XPath expression to create an “operator” role:
Table 10.1. Types and XPath Expression for an Operator Role
|
Type |
XPath/Explanation |
|---|---|
|
Write |
//crm_config//nvpair[@name='maintenance-mode'] Turn maintenance mode on or off. |
|
Write |
//op_defaults//nvpair[@name='record-pending'] Choose whether pending operations are recorded. |
|
Write |
//nodes/node//nvpair[@name='standby'] Set node in online or standby mode. |
|
Write |
//resources//nvpair[@name='target-role'] Start, stop, promote or demote any resource. |
|
Write |
//resources//nvpair[@name='is-managed'] Select if a resource should be managed or not. |
|
Write |
//constraints/rsc_location Migrate/move resources from one node to another. |
|
Read |
/cib View the status of the cluster. |
For users who do not want to deal with the XML structure there is an easier method. It is a combination of a tag specifier and/or a reference.
For example, consider the following XPath:
/cib/resources/primitive[@id='rsc1']
primitive is a resource with the reference
rsc1. The abbreviated syntax is:
tag: "primitive" ref:"rsc1"
This also works for constraints. Here is the verbose XPath:
/cib/constraint/rsc_location
The abbreviated syntax is written like this:
tag: "rsc_location"
The CIB daemon knows how to apply the ACL rules to the matched objects. The abbreviated syntax can be used in the crm Shell or the Pacemaker GUI.
Use the Pacemaker GUI to define your roles and users. The following procedure adds a “monitor” role which has only read access to the CIB. Proceed as follows:
Procedure 10.1. Adding a Monitor Role and Assigning a User with the Pacemaker GUI¶
Start the Pacemaker GUI and log in as described in Section 5.1.1, “Logging in to a Cluster”.
Click the entry in the tree.
Click . A dialog box appears. Choose between and .
To define your ACL role(s):
Choose . A window opens in which you add your configuration options.
Add a unique identifier in the textfield, for
example monitor.
Click and choose the rights (, , or ). In our example, select and proceed with .
Enter the XPath expression /cib in the
textfield. Proceed with
.
Sidenote: If you have resources or constraints, you can also use the abbreviated syntax as explained in Section 10.2.2, “Setting ACL Rules via Tag Abbreviations”. In this case, enter your tag in the textfield and the optional reference in the textfield. In our example, there is no abbreviated form possible, so you can only use the XPath notation here.
If you have other conditions, repeat the steps (Step 4.c and Step 4.d). In our example, this is not the case so your role is finished and you can close the window with .
Assign your role to a user:
Click the button. A dialog box appears to choose between and .
Choose . A window opens in which you add your configuration options.
Enter the username in the textfield. Make sure
this user belongs to the
haclient group.
Click and choose .
Use the role name specified in Step 4.b.
The following procedure adds a “monitor” role as shown in Section 10.3, “Configuring ACLs with the Pacemaker GUI” and assigns it to a user. Proceed as follows:
Procedure 10.2. Adding a Monitor Role and Assigning a User with the crm Shell¶
Log in as root.
Start the interactive mode of the crm shell:
# crm configure crm(live)configure#
Define your ACL role(s):
Use the role command to define your new role. To define a “monitor” role, use the following command:
role monitor read xpath:"/cib"
The previous command creates a new role with name
monitor, sets the read rights and applies it to
all elements in the CIB by using the XPath /cib.
If necessary, you can add more access rights and XPath arguments.
Sidenote: If you have resources or constraints, you can also use the
abbreviated syntax as explained in
Section 10.2.2, “Setting ACL Rules via Tag Abbreviations”. If you have a
primitive resource with the ID rsc1, use the
following notation to set the access rights: write
tag:"primitive" ref:"rsc1". You can also refer to the ID
with write ref:"rsc1". This has the advantage that
it can match a primitive resource and a local resource manager
resource (LRM), which enables you to configure
rsc1 and also cleanup its status at the same time.
Add additional roles as needed.
Assign your roles to users. Make sure this user belongs to the
haclient group.
crm(live)configure# user tux role:monitor
Check your changes:
crm(live)configure# show
Commit your changes:
crm(live)configure# commit