Configuring ACL Permissions in the web UI

Use Pacemaker access control lists (ACLs) to provide local groups and users with role-based access to perform cluster configuration tasks.

To use ACLs in an HA cluster, the following prerequisites are required:

  • The Enable ACLs cluster property must be set to true for the cluster you're configuring. See Setting Cluster Properties for information on how to do this.

  • The local users and groups being configured with ACL permissions must exist on each node in the cluster.

  • The local users must be assigned to the haclient group on each node in the cluster.

Configuring ACL permissions in the web UI involves working with the following pcs entities:

Cluster Information Base

The Cluster Information Base (CIB) is an XML representation of the cluster configuration and the current state of its resources. To view the XML from the CIB run the following command:

sudo pcs cluster cib

Configuring ACL permissions in HA clusters involves configuring read, write, and deny rules for accessing different parts of the CIB XML. You can use xpath values, or the id values of XML elements, to specify the CIB XML elements to which permissions are to be applied. For more information on the CIB, and the way permissions are applied to its XML, see manual page for pcs(8).

Caution:

Don't edit the CIB directly. Instead, use the UI, or the pcs interface, to configure the cluster.
Roles

You create roles in the UI to define permissions needed by local groups and users. For example, you might create a role named resource_manager_role with write access to the /cib/configuration/resources XML subtree of the CIB, and assign this role to groups and users that need to manage cluster resources.

Groups

To assign role permissions to a local group on the cluster nodes, you create a corresponding pcs group in the web UI with the same name as the local group. You assign the role to the pcs group created in the UI, and the users in the corresponding local groups receive the ACL permissions defined in the role.

Users

To assign role permissions to a local user on the cluster nodes, you need to create a corresponding pcs user with a matching username in the web UI. You assign the role to the pcs user created in the UI, and the corresponding local user on each node is assigned the ACL permissions defined in the role.

Creating Roles

Use the Cockpit HA Cluster Management web UI to create roles with ACL permissions to perform cluster configuration tasks.

Use the web UI to create roles to configure read, write, and deny rules for accessing different parts of the CIB XML. You can use xpath values, or the id values of XML elements, to specify the CIB XML elements to which permissions are to be applied.

The following example procedure shows how you might create a role with permission to read the CIB and configure the resources.

Steps

To create a role in the HA Cluster Management web UI application, perform the following steps:

  1. In the Cockpit navigation pane, select HA Cluster Management.
    The Clusters page appears.
  2. In the Clusters page, select the cluster you're configuring.
    A tabbed page displaying the cluster information appears, initially with the Overview tab active.
  3. Select the ACL tab.
    The ACL tab becomes active.
  4. Select Create Role.
    The first page of the create acl workflow appears.
  5. Specify a name, for example, resource_manager_role, and optionally add a description.

    Note:

    Role names must not conflict with group names. Use a naming convention that pevents such a conflict, for example by using different prefixes for group and role names.

    The Add permissions page appears.
  6. In the Add permissions page, configure read permission for the whole CIB xml by selecting xpath, and entering a value of /cib (the root element), and selecting read from the list of permission types. Select Add permission.
    A new row of permission fields appears.
  7. In the new row, configure write permission for resources by selecting xpath, and entering a value of /cib/configuration/resources, and selecting write from the list of permission types.
    Upon completing this step the Review Settings page appears.
  8. Select Create role.
    A message confirming the role has been created appears. Upon acknowledging the message, the workflow closes, and the ACL tab appears with the newly created role listed in the Roles section.

Creating Groups

Use the Cockpit HA Cluster Management web UI to create pcs groups that correspond to local groups on the cluster nodes.

What do you need?

The steps in the following procedure assume the following prerequisites have been met:

  • On each cluster node, a local group has been created with member users that require the same pcs ACL permissions. For example, a group named group_resource_users whose member users require write access to the resource configuration.

  • The user accounts must also be members of the haclient group on each node.

  • In the UI, you have created a role with the ACL permissions the local users require. See Creating Roles for information on how to do this.

Steps

To create a pcs group and assign a role to it, perform the following steps in the HA Cluster Management web UI application:

  1. In the Cockpit navigation pane, select HA Cluster Management.
    The Clusters page appears.
  2. In the Clusters page, select the cluster you're configuring.
    A tabbed page displaying the cluster information appears, initially with the Overview tab active.
  3. Select the ACL tab.
    The ACL tab becomes active.
  4. From the Actions menu, select Create Group.
    The first page of the Create group workflow appears.
  5. In the first page of the Create group workflow, in the Name field, enter a value that exactly matches the name of the corresponding local group on each node.
    For example, if the local group on each cluster is named group_resource_users, enter this value in the Name field.
    The Assign ACL roles page appears.
  6. In the Assign ACL roles page, select the role you have created for this group and move it from the Available roles list to the Chosen roles list .
    The Review settings page appears.
  7. Select Create group.
    A message confirming the group has been created appears. Upon acknowledging the message, the workflow closes, and the ACL tab appears with the newly created group listed in the Groups section.
  8. Sign in to the HA Cluster Management web UI application using one of the user accounts belonging to the local group, and verify the role-defined permissions have been assigned to it.

Creating Users

Use the Cockpit HA Cluster Management web UI to create pcs users that correspond to local users on the cluster nodes.

What do you need?

The steps in the following procedure assume the following prerequisites have been met:

  • On each cluster node, there is a user account that requires pcs ACL permissions. The user accounts must be a member of the haclient group on each node.

  • In the UI, you have created a role with the ACL permissions the local user requires. See Creating Roles for information on how to do this.

Steps

To create a pcs user and assign a role to it, perform the following steps in the HA Cluster Management web UI application:

  1. In the Cockpit navigation pane, select HA Cluster Management.
    The Clusters page appears.
  2. In the Clusters page, select the cluster you're configuring.
    A tabbed page displaying the cluster information appears, initially with the Overview tab active.
  3. Select the ACL tab.
    The ACL tab becomes active.
  4. Select Create User.
    The first page of the Create user workflow appears.
  5. In the first page of the Create user workflow, in the Name field, enter a value that exactly matches the username of the corresponding local user on each node.
    For example, if the local user is named user1, enter this value in the Name field.
    The Assign ACL roles page appears.
  6. In the Assign ACL roles page, select the role you have created for this group and move it from the Available roles list to the Chosen roles list .
    The Review settings page appears.
  7. Select Create user.
    A message confirming the user has been created appears. Upon acknowledging the message, the workflow closes, and the ACL tab appears with the newly created user listed in the Users section.
  8. Sign in to the HA Cluster Management web UI application as the local user and verify the role-defined permissions have been assigned to it.