-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-7.3, rhel-8.0.0
-
Minor
-
sst_high_availability
-
ssg_filesystems_storage_and_HA
-
5
-
False
-
-
Enhancement
-
-
-
Unspecified
---++ Description of problem
unable to use PAM groups to define Access Control Lists in pacemaker
---++ Version-Release number of selected component (if applicable)
pacemaker-cli-1.1.12-22.el7_1.2.x86_64
pacemaker-1.1.12-22.el7_1.2.x86_64
---++ How reproducible
always.
---++ Steps to Reproduce
- create a group
groupadd rogrou - create a user
useradd -G haclient,rogroup rouser - verify
id rouser - uid=4101(rouser) gid=4101(rouser)
- groups=4101(rouser),189(haclient),10001(rogroup)
- enable acl
pcs acl enable - define role
pcs acl role create readonly read xpath /cib - add group
pcs acl group create rogroup readonly - verify
pcs acl
- ACLs are enabled
# - Group: rogroup
- Roles: readonly
- Role: readonly
- Permission: read xpath /cib (readonly-read)
---++ Actual results
[rouser@nodea ~]$ pcs resource
Error: unable to get resource list from crm_resource
Error performing operation: Permission denied
---++ Expected results
resource status shown.
---++ Notes
Directly assigning roles to the user works (pcs acl user create rouser readonly), but groups should be used as multiple users need the same permissions.
