Linux教程FG324-集群ACL权限配置

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

本文档详细介绍集群ACL（访问控制列表）的配置和管理方法。

风哥提示：

Part01-启用ACL

1.1 启用ACL功能

# 启用ACL
[root@ha-node1 ~]# pcs property set enable-acl=true

# 验证ACL已启用
[root@ha-node1 ~]# pcs property list enable-acl
enable-acl: true

# 查看当前ACL配置
[root@ha-node1 ~]# pcs acl
ACL is enabled

No ACLs configured

# 查看ACL用户
[root@ha-node1 ~]# pcs acl show user
No ACL users configured

Part02-创建ACL用户

2.1 创建用户和角色

# 创建ACL用户
[root@ha-node1 ~]# pcs acl user create clusteradmin
User ‘clusteradmin’ created

# 创建角色
[root@ha-node1 ~]# pcs acl role create administrator description=”Full cluster administrator”
Role ‘administrator’ created

# 创建只读角色
[root@ha-node1 ~]# pcs acl role create readonly description=”Read-only access”
Role ‘readonly’ created

# 创建操作员角色
[root@ha-node1 ~]# pcs acl role create operator description=”Operator access”
Role ‘operator’ created

# 查看角色
[root@ha-node1 ~]# pcs acl role show
Role: administrator
Description: Full cluster administrator

Role: operator
Description: Operator access

Role: readonly
Description: Read-only access

2.2 分配角色权限

# 为管理员角色分配权限
[root@ha-node1 ~]# pcs acl role assign administrator write xpath “/cib”

# 为只读角色分配权限
[root@ha-node1 ~]# pcs acl role assign readonly read xpath “/cib”

# 为操作员角色分配权限
[root@ha-node1 ~]# pcs acl role assign operator read xpath “/cib”
[root@ha-node1 ~]# pcs acl role assign operator write xpath “/cib/status”

# 查看角色权限
[root@ha-node1 ~]# pcs acl role show administrator
Role: administrator
Description: Full cluster administrator
Permissions:
write xpath /cib

[root@ha-node1 ~]# pcs acl role show readonly
Role: readonly
Description: Read-only access
Permissions:
read xpath /cib

[root@ha-node1 ~]# pcs acl role show operator
Role: operator
Description: Operator access
Permissions:
read xpath /cib
write xpath /cib/status

Part03-用户角色分配

3.1 为用户分配角色

# 为用户分配角色
[root@ha-node1 ~]# pcs acl user assign clusteradmin administrator
User ‘clusteradmin’ assigned role ‘administrator’

# 创建新用户并分配角色
[root@ha-node1 ~]# pcs acl user create clusteroperator
User ‘clusteroperator’ created

[root@ha-node1 ~]# pcs acl user assign clusteroperator operator
User ‘clusteroperator’ assigned role ‘operator’

# 创建只读用户
[root@ha-node1 ~]# pcs acl user create clusterviewer
User ‘clusterviewer’ created

[root@ha-node1 ~]# pcs acl user assign clusterviewer readonly
User ‘clusterviewer’ assigned role ‘readonly’

# 查看用户角色
[root@ha-node1 ~]# pcs acl user show clusteradmin
User: clusteradmin
Roles: administrator

[root@ha-node1 ~]# pcs acl user show clusteroperator
User: clusteroperator
Roles: operator

[root@ha-node1 ~]# pcs acl user show clusterviewer
User: clusterviewer
Roles: readonly

3.2 查看所有ACL配置

# 查看所有ACL
[root@ha-node1 ~]# pcs acl
ACL is enabled

Users:
clusteradmin
Roles: administrator
clusteroperator
Roles: operator
clusterviewer
Roles: readonly

Roles:
administrator
Description: Full cluster administrator
Permissions:
write xpath /cib
operator
Description: Operator access
Permissions:
read xpath /cib
write xpath /cib/status
readonly
Description: Read-only access
Permissions:
read xpath /cib

Part04-ACL权限测试

4.1 测试用户权限

# 创建系统用户
[root@ha-node1 ~]# useradd clusteradmin
[root@ha-node1 ~]# passwd clusteradmin
Changing password for user clusteradmin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 测试管理员权限
[root@ha-node1 ~]# su – clusteradmin
[clusteradmin@ha-node1 ~]$ pcs status
Cluster name: mycluster
Cluster Summary:
* Stack: corosync
* Current DC: ha-node1 (version 2.1.6-1.el9)
* Last updated: Fri Apr 4 11:50:00 2026
* Last change: Fri Apr 4 11:45:00 2026
* 2 nodes configured
* 3 resource instances configured

[clusfrom PG视频:www.itpux.comteradmin@ha-node1 ~]$ pcs resource create test_vip ocf:heartbeat:IPaddr2 ip=192.168.1.150 cidr_netmask=24
Creating Resource (test_vip)…
Resource ‘test_vip’ created

# 测试只读用户
[root@ha-node1 ~]# useradd clusterviewer
[root@ha-node1 ~]# passwd clusterviewer

[root@ha-node1 ~]# su – clusterviewer
[clusterviewer@ha-node1 ~]$ pcs status
Cluster name: mycluster
Cluster Summary:
* Stack: corosync
* Current DC: ha-node1 (version 2.1.6-1.el9)
* Last updated: Fri Apr 4 11:51:00 2026
* Last change: Fri Apr 4 11:50:00 2026
* 2 nodes configured
* 4 resource instances configured

[clusterviewer@ha-node1 ~]$ pcs resource create test_vip2 ocf:heartbeat:IPaddr2 ip=192.168.1.151 cidr_netmask=24
Error: Permission denied
User ‘clusterviewer’ does not have permission to perform this operation

Part05-ACL管理

5.1 修改ACL权限

# 添加权限到角色
[root@ha-node1 ~]# pcs acl role assign operator write xpath “/cib/resources”

# 查看更新后的角色
[root@ha-node1 ~]# pcs acl role show operator
Role: operator
Description: Operator access
Permissions:
read xpath /cib
write xpath /cib/status
write xpath /cib/resources

# 移除角色权限
[root@ha-node1 ~]# pcs acl role unassign operator write xpath “/cib/resources”

# 验证移除
[root@ha-node1 ~]# pcs acl role show operator
Role: operator
Description: Operator access
Permissions:
read xpath /cib
write xpath /cib/status

# 移除用户角色
[root@ha-node1 ~]# pcs acl user unassign clusteroperator operator

# 验证移除
[root@ha-node1 ~]# pcs acl user show clusteroperator
User: clusteroperator
Roles: (none)

5.2 删除ACL配置

# 删除用户
[root@ha-node1 ~]# pcs acl user delete clusterviewer
User ‘clusterviewer’ deleted

# 删除角色
[root@ha-node1 ~]# pcs acl role delete readonly
Role ‘readonly’ deleted

# 验证删除
[root@ha-node1 ~]# pcs acl
ACL is enabled

Users:
clusteradmin
Roles: administrator
clusteroperator
Roles: (none)

Roles:
administrator
Description: Full cluster administrator
Permissions:
write xpath /cib
operator
Description: Operator access
Permissions:
read xpath /cib
write xpath /cib/status

# 禁用ACL
[root@ha-node1 ~]# pcs property set enable-acl=false

# 验证禁用
[root@ha-node1 ~]# pcs property list enable-acl
enable-acl: false

风哥针对ACL配置建议：

生产环境建议启用ACL
为不同用户分配最小权限
使用角色管理权限
定期审核ACL配置
测试用户权限是否正确

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html